├── CyberTalents └── Competitions │ ├── Ahram Canadian University CTF Competition │ ├── Cloak and Dagger │ │ ├── Cloak and Dagger.exe │ │ └── README.md │ └── Training │ │ ├── README.md │ │ └── training │ ├── Ain Shams University CTF Competition │ └── Catch me │ │ ├── CatchMe.exe │ │ ├── README.md │ │ ├── img1.PNG │ │ └── img2.PNG │ ├── Al-Azhar University Cybersecurity CTF Competition │ ├── Bruteforce Me │ │ ├── README.md │ │ ├── bruteforceme.py │ │ └── img1.PNG │ └── Encipher │ │ ├── Encipher.exe │ │ └── README.md │ ├── CyberTeam Company Internship CTF │ ├── Mobile App │ │ ├── README.md │ │ └── mobapp.apk │ └── Say my Name │ │ ├── README.md │ │ ├── a.out │ │ ├── img1.PNG │ │ ├── img2.PNG │ │ └── img3.PNG │ ├── Egypt Universities CTF Competition │ ├── Elementary │ │ ├── README.md │ │ ├── elementary │ │ ├── img1.PNG │ │ └── img2.PNG │ ├── Good Package │ │ ├── README.md │ │ ├── img1.PNG │ │ └── simple.exe │ ├── Reverse Me │ │ ├── README.md │ │ └── messedup.jar │ └── XO │ │ ├── README.md │ │ └── tic │ ├── HITB2018DXB Pre-Conf CTF │ ├── Math Master │ │ ├── README.md │ │ └── mathmaster │ └── math is your friend │ │ ├── README.md │ │ └── rev200 │ ├── Helwan University CTF Competition │ ├── Encipher │ │ └── README.md │ └── simple reverse │ │ ├── README.md │ │ ├── img1.PNG │ │ └── simple_reverse │ ├── Lebanese American University CTF │ └── ezez keygen │ │ └── README.md │ ├── MIU CTF Competition │ └── ezez keygen │ │ ├── README.md │ │ ├── ezez_keygen │ │ └── img1.PNG │ ├── Menoufia University CTF Competition │ ├── Bruteforce Me │ │ └── README.md │ ├── They are many │ │ ├── README.md │ │ ├── They-are-many │ │ ├── img1.PNG │ │ └── img2.PNG │ └── ezez keygen │ │ └── README.md │ └── Women in Cybersecurity CTF │ ├── Mobile App │ └── README.md │ └── Say my Name │ └── README.md ├── README.md └── ctf.squnity.com ├── Ransomware ├── Arithmetic.py ├── ContinuedFractions.py ├── README.md ├── RSAwienerHacker.py ├── Ransomware.exe ├── Temp │ ├── TBOHI.tmp │ ├── TFX50.tmp │ ├── VH5JA.tmp │ └── ZNDKC.tmp ├── WriteUp.py └── dsafgasf.txt ├── mal_family ├── README.md ├── config.vbe ├── decode-vbe.py ├── mal_v1.exe └── mal_v2.exe └── script ├── README.md ├── flag.au3 └── script.exe /CyberTalents/Competitions/Ahram Canadian University CTF Competition/Cloak and Dagger/Cloak and Dagger.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Revers3c-Team/CTF-writeups/95c1344a3f62d767b11152c0fcda1929f5af48c6/CyberTalents/Competitions/Ahram Canadian University CTF Competition/Cloak and Dagger/Cloak and Dagger.exe -------------------------------------------------------------------------------- /CyberTalents/Competitions/Ahram Canadian University CTF Competition/Cloak and Dagger/README.md: -------------------------------------------------------------------------------- 1 | # Category 2 | Malware Reverse Engineering 3 | # Level 4 | Medium 5 | # Points 6 | 100 7 | # Description 8 | `Open The right file to get the flag` 9 | # File 10 | [Cloak and Dagger.exe](https://github.com/Revers3c-Team/CTF-writeups/blob/master/CyberTalents/Competitions/Ahram%20Canadian%20University%20CTF%20Competition/Cloak%20and%20Dagger/Cloak%20and%20Dagger.exe) 11 | # Solution 12 | The file is .NET binary (you may use [Detect It Easy](https://ntinfo.biz/) to determine the type of a binary)
13 | On running it, it just lets you select a file and makes a messagebox with `You have the wrong file!`
14 | So let's load it to dnSpy
15 | At the decompiled class `form1` there are two methods
16 | 17 | ```c# 18 | public static string HexStr(byte[] p) 19 | { 20 | char[] array = new char[p.Length * 2 + 2]; 21 | array[0] = '0'; 22 | array[1] = 'x'; 23 | int i = 0; 24 | int num = 2; 25 | while (i < p.Length) 26 | { 27 | byte b = (byte)(p[i] >> 4); 28 | array[num] = (char)((b > 9) ? (b + 55) : (b + 48)); 29 | b = (byte)(p[i] & 15); 30 | array[++num] = (char)((b > 9) ? (b + 55) : (b + 48)); 31 | i++; 32 | num++; 33 | } 34 | return new string(array); 35 | } 36 | ``` 37 | 38 | Which just converts a byte array into hex value `'a' ---> '0x61'` (you can use https://dotnetfiddle.net/ or the interactive c# plugin at dnSpy to test c# code snippets)
39 | Also we have
40 | 41 | ```c# 42 | private void button1_Click(object sender, EventArgs e) 43 | { 44 | if (this.openFileDialog1.ShowDialog() == DialogResult.OK) 45 | { 46 | string fileName = this.openFileDialog1.FileName; 47 | try 48 | { 49 | string b = "FF0003060C1204121212000100C40307"; 50 | BinaryReader binaryReader = new BinaryReader(new FileStream(fileName, FileMode.Open, FileAccess.Read, FileShare.None)); 51 | binaryReader.BaseStream.Position = 0L; 52 | byte[] p = binaryReader.ReadBytes(256); 53 | binaryReader.Close(); 54 | string a = string.Concat(new string[] 55 | { 56 | Form1.HexStr(p).Substring(2, 2), 57 | Form1.HexStr(p).Substring(34, 2), 58 | Form1.HexStr(p).Substring(66, 2), 59 | Form1.HexStr(p).Substring(98, 2), 60 | Form1.HexStr(p).Substring(130, 2), 61 | Form1.HexStr(p).Substring(162, 2), 62 | Form1.HexStr(p).Substring(194, 2), 63 | Form1.HexStr(p).Substring(226, 2), 64 | Form1.HexStr(p).Substring(258, 2), 65 | Form1.HexStr(p).Substring(290, 2), 66 | Form1.HexStr(p).Substring(322, 2), 67 | Form1.HexStr(p).Substring(354, 2), 68 | Form1.HexStr(p).Substring(386, 2), 69 | Form1.HexStr(p).Substring(418, 2), 70 | Form1.HexStr(p).Substring(450, 2), 71 | Form1.HexStr(p).Substring(482, 2) 72 | }); 73 | string str = string.Concat(new string[] 74 | { 75 | Form1.HexStr(p).Substring(4, 2), 76 | Form1.HexStr(p).Substring(36, 2), 77 | Form1.HexStr(p).Substring(68, 2), 78 | Form1.HexStr(p).Substring(100, 2), 79 | Form1.HexStr(p).Substring(132, 2), 80 | Form1.HexStr(p).Substring(164, 2), 81 | Form1.HexStr(p).Substring(196, 2), 82 | Form1.HexStr(p).Substring(228, 2), 83 | Form1.HexStr(p).Substring(260, 2), 84 | Form1.HexStr(p).Substring(292, 2), 85 | Form1.HexStr(p).Substring(324, 2), 86 | Form1.HexStr(p).Substring(356, 2), 87 | Form1.HexStr(p).Substring(388, 2), 88 | Form1.HexStr(p).Substring(420, 2), 89 | Form1.HexStr(p).Substring(452, 2), 90 | Form1.HexStr(p).Substring(484, 2) 91 | }); 92 | if (a == b) 93 | { 94 | MessageBox.Show("Flag is: " + str); 95 | } 96 | else 97 | { 98 | MessageBox.Show("You have the wrong file!"); 99 | } 100 | } 101 | catch (IOException) 102 | { 103 | } 104 | } 105 | } 106 | ``` 107 | 108 | Which does this: 109 | 1) Open a new file with OpenFileDialog component and read it into byte array `p`
110 | 2) Define a string `b` with value `FF0003060C1204121212000100C40307`
111 | 3) Define a string `a` with the concatenation of hex values of bytes at offsets `{0,16,32,48,64,80,96,112,128,144,160,176,192,208,224,240}` (remember that `HexStr` returns `0x` at the start of the hex string and every byte has a corresponding 2-chars hex string) 112 | 4) Also defines another string `str` like `a` but at different offsets
113 | 5) Makes a check if array string `a` equals string `b` and if true it will print the flag to be string `str`<> 114 | 115 | We can deduce some things here; first it will crash if opened a file with size < 242 bytes (484 / 2)
116 | Second, our target here is to open the right file nothing else
117 | Once I understood that, I knew that the right file is somehow embedded in the binary
118 | I used `binwalk` to extract any embedded or appended files with this command `binwalk --dd=".*" "Cloak and Dagger.exe"`
119 | The extracted files are so many, so we cannot just open them one by one to get the write file
120 | Rather than that I will loop through all files reading them and check for the bytes at the previous indices array to be equal to the hex array `FF0003060C1204121212000100C40307`
121 | I used this simple script to achieve it
122 | 123 | ```python 124 | >>> from os import listdir 125 | >>> from os.path import isfile, join 126 | >>> onlyfiles = [f for f in listdir(".") if isfile(join(".", f))] 127 | >>> for file in onlyfiles: 128 | ... data = open(file,'rb').read() 129 | ... if data[0] == '\xFF' and data[16] == '\x00' and data[32] == '\x03' and data[48] == '\x06' and data[64] == '\x0C' and data[80] == '\x12' and data[96] == '\x04' and data[112] == '\x12' and data[128] == '\x12' and data[144] == '\x12' and data[160] == '\x00' and data[176] == '\x01' and data[192] == '\x00' and data[208] == '\xC4' and data[224] == '\x03' and data[240] == '\x07': 130 | ... print(file) 131 | ... 132 | 7F4428 133 | ``` 134 | 135 | So we have the right file `7F4428`, open it with our program to get the flag 136 | 137 | # Flag 138 | D80103060B120712121211FF00000512 139 | -------------------------------------------------------------------------------- /CyberTalents/Competitions/Ahram Canadian University CTF Competition/Training/README.md: -------------------------------------------------------------------------------- 1 | # Category 2 | Malware Reverse Engineering 3 | # Level 4 | Medium 5 | # Points 6 | 100 7 | # Description 8 | `training, keep training.` 9 | # File 10 | [training](https://github.com/Revers3c-Team/CTF-writeups/blob/master/CyberTalents/Competitions/Ahram%20Canadian%20University%20CTF%20Competition/Training/training) 11 | # Solution 12 | The file is a x64 stripped linux binary
13 | At running, it reads from stdin and just prints back what I write
14 | So let's load it to IDA
15 | I also used HexRays decompiler to get the pseudo-code of the functions
16 | For the main function we have
17 | 18 | ```c++ 19 | __int64 __fastcall main(__int64 a1, char **a2, char **a3) 20 | { 21 | _QWORD *v3; // rax 22 | char v4; // bl 23 | __int64 v5; // rax 24 | char v7; // [rsp+Fh] [rbp-A1h] 25 | char v8; // [rsp+10h] [rbp-A0h] 26 | char v9; // [rsp+30h] [rbp-80h] 27 | char v10; // [rsp+50h] [rbp-60h] 28 | char v11; // [rsp+70h] [rbp-40h] 29 | unsigned __int64 v12; // [rsp+98h] [rbp-18h] 30 | 31 | v12 = __readfsqword(0x28u); 32 | std::__cxx11::basic_string,std::allocator>::basic_string(&v8, a2, a3); 33 | sub_130A(); 34 | while ( 1 ) 35 | { 36 | v3 = std::operator>>,std::allocator>(&std::cin, &v8); 37 | if ( !std::basic_ios>::operator bool(v3 + *(*v3 - 24LL)) ) 38 | break; 39 | std::__cxx11::basic_string,std::allocator>::basic_string(&v9, &v8); 40 | sub_13DB(&v10, &v9); 41 | v4 = 0; 42 | if ( sub_1A6C(&v10, &unk_2046A0) ) 43 | { 44 | std::allocator::allocator(&v7); 45 | v4 = 1; 46 | std::__cxx11::basic_string,std::allocator>::basic_string(&v11, "correct", &v7); 47 | } 48 | else 49 | { 50 | std::__cxx11::basic_string,std::allocator>::basic_string(&v11, &v8); 51 | } 52 | v5 = std::operator<<,std::allocator>(&std::cout, &v11); 53 | std::ostream::operator<<(v5, &std::endl>); 54 | std::__cxx11::basic_string,std::allocator>::~basic_string(&v11); 55 | if ( v4 ) 56 | std::allocator::~allocator(&v7); 57 | std::__cxx11::basic_string,std::allocator>::~basic_string(&v10); 58 | std::__cxx11::basic_string,std::allocator>::~basic_string(&v9); 59 | } 60 | std::__cxx11::basic_string,std::allocator>::~basic_string(&v8); 61 | return 0LL; 62 | } 63 | ``` 64 | 65 | Here we have a C++ program, so we have other functions to allocate memory and copy data
66 | For now we can understand 67 | ```c++ 68 | std::__cxx11::basic_string,std::allocator>::basic_string 69 | ``` 70 | to be a data copy mechanism that copies the data from the second parameter to the first one
71 | And 72 | ```c++ 73 | std::__cxx11::basic_string,std::allocator>::~basic_string 74 | ``` 75 | to be a memory free mechanism
76 | First let me explain the code line by line
77 | 1) First it defines the different used variables and their types
78 | 2) Assigns `v12` to be a 8-byte (qword) address at offset 0x28 from the register segment FS (not important for us)
79 | 3) `a2` and `a3` are the parameters of the main function so this should be a default operation (not important for us)
80 | 4) Executes the function `sub_130A` 81 | 5) Initiates an infinity loop (can be broken from inside) 82 | 6) Copies the address of pointer `v8` to the address of the stdin (now any input data will be at pointer `v8`) 83 | 7) Checks if the previous operation returned properly if not it will break (not important for us) 84 | 8) Copies the address of `v8` to the address of `v9` (now any input data will be at pointer `v9`) 85 | 9) Executes sub_13DB with two pointers `v10` and `v9` (our input data) 86 | 10) Assigns `v4` to be 0 87 | 11) Executes `sub_1A6C` with two pointer `&v10` and unknown pointer at 0x2046A0 and check for the return 88 | 12) If returned a non-zero value it allocates some memory and gives its address to pointer `v7` and assigns `v4` to 1 89 | 13) Copies the string `correct` to memory of `v11` 90 | 14) If returned zero, it copies data from `v8` (our input data) to pointer `v11` 91 | 15) Copies address of `v11` (`correct` or our input data) to be the address of stdout (prints `&v11`) 92 | 16) Prints new line 93 | 17) Free memory of `v11` 94 | 18) Free memory of `v7` if `v4` is non-zero (or when the previous condition is true) 95 | 19) Free memory of `v9`, `v10`, `v8`, and return 96 | 97 | So simply it will read our input, make some check on it, if it passed it will print 'correct' if not it will print our input
98 | For the checking function `sub_1A6C` we have 99 | 100 | ```c++ 101 | _BOOL8 __fastcall sub_1A6C(__int64 a1, __int64 a2) 102 | { 103 | __int64 v2; // rbx 104 | __int64 v3; // r12 105 | __int64 v4; // rbx 106 | __int64 v5; // rax 107 | _BOOL8 result; // rax 108 | 109 | v2 = std::__cxx11::basic_string,std::allocator>::size(a1); 110 | result = 0; 111 | if ( v2 == std::__cxx11::basic_string,std::allocator>::size(a2) ) 112 | { 113 | v3 = std::__cxx11::basic_string,std::allocator>::size(a1); 114 | v4 = std::__cxx11::basic_string,std::allocator>::data(a2); 115 | v5 = std::__cxx11::basic_string,std::allocator>::data(a1); 116 | if ( !sub_18BF(v5, v4, v3) ) 117 | result = 1; 118 | } 119 | return result; 120 | } 121 | ``` 122 | 123 | And for `sub_18BF` 124 | 125 | ```c++ 126 | int __fastcall sub_18BF(const void *a1, const void *a2, size_t a3) 127 | { 128 | int result; // eax 129 | 130 | if ( a3 ) 131 | result = memcmp(a1, a2, a3); 132 | else 133 | result = 0; 134 | return result; 135 | } 136 | ``` 137 | 138 | Which seems to be a simple comparison function that makes sure the data and the size of the two pointers are the same
139 | So now we need to know the data at the pointer `unk_2046A0`, but when I tried to dump it it was not initialised
140 | Pointer `unk_2046A0` will be initialised at the runtime by some function
141 | To know where it will be filled with data in ida you can jump to its x-refernces (right click-->jump to xref)
142 | To find that it will be initialised by the function `sub_178E` at which we have 143 | 144 | ```c++ 145 | unsigned __int64 __fastcall sub_178E(int a1, int a2) 146 | { 147 | char v3; // [rsp+17h] [rbp-19h] 148 | unsigned __int64 v4; // [rsp+18h] [rbp-18h] 149 | 150 | v4 = __readfsqword(0x28u); 151 | if ( a1 == 1 && a2 == 0xFFFF ) 152 | { 153 | std::ios_base::Init::Init(&unk_204680); 154 | __cxa_atexit(&std::ios_base::Init::~Init, &unk_204680, &off_204008); 155 | std::allocator::allocator(&v3); 156 | std::__cxx11::basic_string,std::allocator>::basic_string( 157 | &unk_2046A0, 158 | "IQHR}nxio_vtvk_aapbijsr_vnxwbbmm{", 159 | &v3); 160 | std::allocator::~allocator(&v3); 161 | __cxa_atexit( 162 | &std::__cxx11::basic_string,std::allocator>::~basic_string, 163 | &unk_2046A0, 164 | &off_204008); 165 | sub_19B4(&unk_204260); 166 | __cxa_atexit(sub_261E, &unk_204260, &off_204008); 167 | } 168 | return __readfsqword(0x28u) ^ v4; 169 | } 170 | ``` 171 | 172 | From the code we know that it will copy the string `IQHR}nxio_vtvk_aapbijsr_vnxwbbmm{` to our unknown pointer
173 | Now I am pretty sure that the function `sub_13DB` is the encryption function that takes two pointers `&v10` and `&v9` (our input) and it will encrypt our input and copy the result to `&v10` to be checked again by `sub_1A6C`
174 | Now for `sub_13DB` we have 175 | 176 | ```c++ 177 | __int64 __fastcall sub_13DB(__int64 a1, __int64 a2) 178 | { 179 | int v2; // ebx 180 | char *v3; // rax 181 | signed int v4; // eax 182 | char *v5; // rax 183 | char *v6; // rax 184 | __int64 v7; // rbx 185 | int i; // [rsp+14h] [rbp-1Ch] 186 | int v10; // [rsp+18h] [rbp-18h] 187 | 188 | for ( i = 0; *std::__cxx11::basic_string,std::allocator>::operator[](a2, i); ++i ) 189 | { 190 | v2 = *std::__cxx11::basic_string,std::allocator>::operator[](a2, i); 191 | v10 = v2 + *sub_1A4C(&unk_204260, i); 192 | v3 = std::__cxx11::basic_string,std::allocator>::operator[](a2, i); 193 | if ( sub_1929(*v3) ) 194 | { 195 | v4 = 122; 196 | } 197 | else 198 | { 199 | v5 = std::__cxx11::basic_string,std::allocator>::operator[](a2, i); 200 | if ( sub_194C(*v5) ) 201 | v4 = 90; 202 | else 203 | v4 = *std::__cxx11::basic_string,std::allocator>::operator[](a2, i); 204 | } 205 | while ( v10 > v4 ) 206 | v10 -= 26; 207 | if ( *std::__cxx11::basic_string,std::allocator>::operator[](a2, i) == 123 ) 208 | { 209 | LOBYTE(v7) = 125; 210 | } 211 | else if ( *std::__cxx11::basic_string,std::allocator>::operator[](a2, i) == 125 ) 212 | { 213 | LOBYTE(v7) = 123; 214 | } 215 | else 216 | { 217 | v6 = std::__cxx11::basic_string,std::allocator>::operator[](a2, i); 218 | if ( sub_18FA(*v6) ) 219 | LOBYTE(v7) = v10; 220 | else 221 | v7 = *std::__cxx11::basic_string,std::allocator>::operator[](a2, i); 222 | } 223 | *std::__cxx11::basic_string,std::allocator>::operator[](a2, i) = v7; 224 | } 225 | std::__cxx11::basic_string,std::allocator>::basic_string(a1, a2); 226 | return a1; 227 | } 228 | ``` 229 | 230 | You can understand 231 | ```c++ 232 | std::__cxx11::basic_string,std::allocator>::operator[](a2, i) 233 | ``` 234 | to be just `(&a2+i)` which is `a2[i]`
235 | 236 | For `sub_1A4C`, `sub_1929`, `sub_194C`, `sub_18FA`, they are just small checking functions
237 | 238 | Also we have this pointer `unk_204260` which is also not initialised, jump to its x-references to find out the function that will fill it
239 | This function is `sub_130A` which is hard to be reversed so we will debug (source code debugging) it to get the data at this pointer
240 | I set a break point at the line after the line it used in
241 | I used ida x64 remote linux debugger server on ubuntu x64
242 | Dumped the data from it with `GetManyBytes` idapython api function
243 | The dumped data was 244 | `['\x03\x00\x00\x00\x05\x00\x00\x00\x07\x00\x00\x00\x0b\x00\x00\x00\r\x00\x00\x00\x11\x00\x00\x00\x13\x00\x00\x00\x17\x00\x00\x00\x1d\x00\x00\x00\x1f\x00\x00\x00%\x00\x00\x00)\x00\x00\x00+\x00\x00\x00/\x00\x00\x005\x00\x00\x00;\x00\x00\x00=\x00\x00\x00C\x00\x00\x00G\x00\x00\x00I\x00\x00\x00O\x00\x00\x00S\x00\x00\x00Y\x00\x00\x00a\x00\x00\x00e\x00\x00\x00g\x00\x00\x00k\x00\x00\x00m\x00\x00\x00q\x00\x00\x00\x7f\x00\x00\x00\x83\x00\x00\x00\x89\x00\x00\x00\x8b\x00\x00\x00\x95\x00\x00\x00\x97\x00\x00\x00\x9d\x00\x00\x00\xa3\x00\x00\x00\xa7\x00\x00\x00\xad\x00\x00\x00\xb3\x00\x00\x00\xb5\x00\x00\x00\xbf\x00\x00\x00\xc1\x00\x00\x00\xc5\x00\x00\x00\xc7\x00\x00\x00\xd3\x00\x00\x00\xdf\x00\x00\x00\xe3\x00\x00\x00\xe5\x00\x00\x00\xe9\x00\x00\x00\xef\x00\x00\x00\xf1\x00\x00\x00\xfb\x00\x00\x00']` 245 | And knowing the fact that these bytes will be casted to be int32 and every int32 is 4 bytes, also we know that the bytes are in little-endian format so a bytes array like `'\x03\x00\x00\x00'` is just 0x03 and so on
246 | So for now we have our key array to be 247 | ``` 248 | [0x03,0x05,0x07,0x0b,0x0d,0x11,0x13,0x17,0x1D,0x1F,0x25,0x29,0x2B,0x2F,0x35,0x3B,0x3D,0x43,0x47,0x49,0x4F,0x53,0x59,0x61,0x65,0x67,0x6B,0x6D,0x71,0x7F,0x83,0x89,0x8B,0x95,0x97,0x9D,0x0A3,0xA7,0xAD,0xB3,0xB5,0xbf,0xc1,0xc5,0xc7,0xd3,0xdf,0xe3,0xe5,0xe9,0xef,0xf1,0xfb] 249 | ``` 250 | 251 | So for this encryption function we have the output which is `IQHR}nxio_vtvk_aapbijsr_vnxwbbmm{` and the key
252 | This is a kind of a rotation encryption function so I assumed that I will got the right flag if just passed the output as input again and so on to get the write flag
253 | Also I rewrited it in python so as we can decrypt our string
254 | I made this script
255 | 256 | ```python 257 | key = [0x03,0x05,0x07,0x0b,0x0d,0x11,0x13,0x17,0x1D,0x1F,0x25,0x29,0x2B,0x2F,0x35,0x3B,0x3D,0x43,0x47,0x49,0x4F,0x53,0x59,0x61,0x65,0x67,0x6B,0x6D,0x71,0x7F,0x83,0x89,0x8B,0x95,0x97,0x9D,0x0A3,0xA7,0xAD,0xB3,0xB5,0xbf,0xc1,0xc5,0xc7,0xd3,0xdf,0xe3,0xe5,0xe9,0xef,0xf1,0xfb] 258 | def enc(inp): 259 | inp = list(inp) 260 | for i in range(len(inp)): 261 | current_char = ord(inp[i]) 262 | v17 = ord(inp[i]) + key[i] 263 | if current_char > 96 and current_char <= 122: 264 | v6 = 122 265 | else: 266 | if (current_char > 96 and current_char <= 122 or current_char > 64 and current_char <= 90) and not (current_char > 96 and current_char <= 122): 267 | v6 = 90 268 | else: 269 | v6 = current_char 270 | while v17 > v6: v17 -= 26 271 | if current_char == 123: 272 | v12 = 125 273 | else: 274 | if current_char == 125: 275 | v12 = 123 276 | else: 277 | if current_char > 96 and current_char <= 122 or current_char > 64 and current_char <= 90: 278 | v12 = v17 279 | else: 280 | v12 = current_char 281 | inp[i] = chr(v12) 282 | return ''.join(inp) 283 | 284 | 285 | flag="IQHR}nxio_vtvk_aapbijsr_vnxwbbmm{" 286 | while True: 287 | if "FLAG" in flag: 288 | print(flag) 289 | break 290 | flag = enc(flag) 291 | ``` 292 | 293 | Run it to get the right flag
294 | # Flag 295 | FLAG{well_keep_training_yourself} 296 | -------------------------------------------------------------------------------- /CyberTalents/Competitions/Ahram Canadian University CTF Competition/Training/training: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Revers3c-Team/CTF-writeups/95c1344a3f62d767b11152c0fcda1929f5af48c6/CyberTalents/Competitions/Ahram Canadian University CTF Competition/Training/training -------------------------------------------------------------------------------- /CyberTalents/Competitions/Ain Shams University CTF Competition/Catch me/CatchMe.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Revers3c-Team/CTF-writeups/95c1344a3f62d767b11152c0fcda1929f5af48c6/CyberTalents/Competitions/Ain Shams University CTF Competition/Catch me/CatchMe.exe -------------------------------------------------------------------------------- /CyberTalents/Competitions/Ain Shams University CTF Competition/Catch me/README.md: -------------------------------------------------------------------------------- 1 | # Category 2 | Malware Reverse Engineering 3 | # Level 4 | Medium 5 | # Points 6 | 100 7 | # Description 8 | `Catch me if you can` 9 | # File 10 | [CatchMe.exe](https://github.com/Revers3c-Team/CTF-writeups/raw/master/CyberTalents/Competitions/Ain%20Shams%20University%20CTF%20Competition/Catch%20me/CatchMe.exe) 11 | # Solution 12 | The file is x86 window binary, so loaded it to IDA
13 | At the main function, there's nothing interesting 14 | 15 | ![untitled](https://github.com/Revers3c-Team/CTF-writeups/raw/master/CyberTalents/Competitions/Ain%20Shams%20University%20CTF%20Competition/Catch%20me/img1.PNG) 16 | 17 | After some thinking, I decided to view the exported functions (View-->Open subviews-->Exports), I found `start` which leads to the main function and `TlsCallback_0` so I followed it
18 | 19 | ![untitled](https://github.com/Revers3c-Team/CTF-writeups/raw/master/CyberTalents/Competitions/Ain%20Shams%20University%20CTF%20Competition/Catch%20me/img2.PNG) 20 | 21 | I also searched for it
22 | `TLS (thread local storage) calls are subroutines that are executed before the entry point .`
23 | So a malware author may use it to execute some code even before the entry point
24 | Here we have an anti-debugging method with `IsDebuggerPresent` api call
25 | If run normally, it will check if the file name itself is `i_got_it` (without extension)
26 | So I just changed its name to `i_got_it.exe` and executed it
27 | 28 | # Flag 29 | flag{TLS_1S_G00D:)} 30 | -------------------------------------------------------------------------------- /CyberTalents/Competitions/Ain Shams University CTF Competition/Catch me/img1.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Revers3c-Team/CTF-writeups/95c1344a3f62d767b11152c0fcda1929f5af48c6/CyberTalents/Competitions/Ain Shams University CTF Competition/Catch me/img1.PNG -------------------------------------------------------------------------------- /CyberTalents/Competitions/Ain Shams University CTF Competition/Catch me/img2.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Revers3c-Team/CTF-writeups/95c1344a3f62d767b11152c0fcda1929f5af48c6/CyberTalents/Competitions/Ain Shams University CTF Competition/Catch me/img2.PNG -------------------------------------------------------------------------------- /CyberTalents/Competitions/Al-Azhar University Cybersecurity CTF Competition/Bruteforce Me/README.md: -------------------------------------------------------------------------------- 1 | # Category 2 | Malware Reverse Engineering 3 | # Level 4 | Easy 5 | # Points 6 | 50 7 | # Description 8 | `flag format flag{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx},only a-z,0-9,_ are allowed. try to find the only flag that makes sense. Note: no special hardware is required to bruteforce https://www.youtube.com/watch?v=hyk46UmJPS4 this may help you coding the solution. DON'T BRUTEFORCE KEY SUBMISSIONS.` 9 | # File 10 | [bruteforceme.py](https://raw.githubusercontent.com/Revers3c-Team/CTF-writeups/master/CyberTalents/Competitions/Al-Azhar%20University%20Cybersecurity%20CTF%20Competition/Bruteforce%20Me/bruteforceme.py) 11 | # Solution 12 | We have this script 13 | 14 | ```python 15 | ll =[51, 54, 48, 51, 61, 57, 50, 54, 48, 52, 55, 50, 50, 57, 47, 52, 57, 47, 54, 24, 57, 58, 62] 16 | 17 | i = raw_input() 18 | ss= 0 19 | try: 20 | for ii in range(0,46 , 2): 21 | temp = i[ii:ii+2] 22 | temp = int(temp,0x10) 23 | ss+=temp 24 | temp >>=1 25 | if temp != ll[ii/2]: 26 | print "Something is wrong" 27 | if ss !=2406: 28 | print ss/0 29 | print "This flag may or may not work, can you find more ?" 30 | 31 | except: 32 | print "NO" 33 | ``` 34 | 35 | Which does this
36 | 1) Defines the list `ll`, receives input of user into `i`, starts a loop in range of 0 to 46 with step 2, at every iteration `temp` equals a chunk of two chars from the input, and it will be decoded as hex to int, it will be added to `ss`
37 | 2) After that it will be divided by 2 (right shifting by 1 bit), and a check is made to make sure `temp` equals an equivalent-index item from `ll` list
38 | 3) After the loop ends it will make sure `ss` equals 2406, and this will be one of the solutions (may or may not be right) 39 | 40 | So I made these assumptions 41 | 1) Our input length should be 46
42 | 2) The input must be the hex-encoded flag so the right flag must be 23 chars
43 | 3) First I thought it's very easy as we can just multiply `ll` list by 2 and it decode it as ascii and it will be the flag
44 | 4) I was wrong because of the fact that the dividing operation here will return only the quotient (the remainder is lost)
45 | ```python 46 | >>> 55 >> 1 == 54 >> 1 == 27 47 | True 48 | ``` 49 | 5) For now we know that the flag is the ascii decoded list `[102, 108, 98, 102, 122, 114, 100, 108, 96, 104, 110, 100, 100, 114, 94, 104, 114, 94, 108, 48, 114, 116, 124]` (`ll` * 2) but every number may be itself or added to 1
50 | 6) There are too many possibilities here (about 2^23 possible solution), we can brute force the flag if just figured out an algorithm for a recursive function that will generate all the possible lists
51 | 52 | So I made this script to brute force the flag
53 | 54 | ```python 55 | ll =[51, 54, 48, 51, 61, 57, 50, 54, 48, 52, 55, 50, 50, 57, 47, 52, 57, 47, 54, 24, 57, 58, 62] 56 | ll = [i*2 for i in ll] 57 | def get_instance(i=0,c_list=[0] * 23): 58 | if i == 23: 59 | if sum(c_list) == 2406: 60 | string = ''.join([chr(i) for i in c_list]) 61 | if string.startswith('flag{') and string.endswith("}"): 62 | print(string) 63 | return 64 | c_list[i] = ll[i] 65 | get_instance(i+1,c_list) 66 | c_list[i] = ll[i] + 1 67 | get_instance(i+1,c_list) 68 | get_instance() 69 | ``` 70 | 71 | The output was
72 | 73 | ``` 74 | flag{rdl`hndes_is_m1su} 75 | flag{rdl`hneds_is_m1su} 76 | flag{rdl`hneer_is_m1su} 77 | flag{rdl`hnees^is_m1su} 78 | flag{rdl`hnees_hs_m1su} 79 | flag{rdl`hnees_ir_m1su} 80 | flag{rdl`hnees_is^m1su} 81 | flag{rdl`hnees_is_l1su} 82 | flag{rdl`hnees_is_m0su} 83 | flag{rdl`hnees_is_m1ru} 84 | flag{rdl`hnees_is_m1st} 85 | flag{rdl`hodds_is_m1su} 86 | flag{rdl`hoder_is_m1su} 87 | flag{rdl`hodes^is_m1su} 88 | flag{rdl`hodes_hs_m1su} 89 | flag{rdl`hodes_ir_m1su} 90 | ..... 91 | ``` 92 | 93 | Based on the output I kept adding filters and testing it so the last one is
94 | 95 | ```python 96 | ll =[51, 54, 48, 51, 61, 57, 50, 54, 48, 52, 55, 50, 50, 57, 47, 52, 57, 47, 54, 24, 57, 58, 62] 97 | ll = [i*2 for i in ll] 98 | def get_instance(i=0,c_list=[0] * 23): 99 | if i == 23: 100 | if sum(c_list) == 2406: 101 | string = ''.join([chr(i) for i in c_list]) 102 | if string.startswith('flag{') and string.endswith("}") and "_is_" in string and not '^' in string and "`" not in string and ("l1st" in string or "m0st" in string or "l0st" in string): 103 | print(string) 104 | return 105 | c_list[i] = ll[i] 106 | get_instance(i+1,c_list) 107 | c_list[i] = ll[i] + 1 108 | get_instance(i+1,c_list) 109 | get_instance() 110 | ``` 111 | 112 | Now the output reduced to be 182 possible solution, I redirected it to a file and opened it with vscode
113 | I've also installed this [plugin](https://marketplace.visualstudio.com/items?itemName=ban.spellright) in vscode to check the syntax
114 | And I got the flag
115 | 116 | ![untitled](https://github.com/Revers3c-Team/CTF-writeups/raw/master/CyberTalents/Competitions/Al-Azhar%20University%20Cybersecurity%20CTF%20Competition/Bruteforce%20Me/img1.PNG) 117 | 118 | # Flag 119 | flag{remainder_is_l0st} 120 | -------------------------------------------------------------------------------- /CyberTalents/Competitions/Al-Azhar University Cybersecurity CTF Competition/Bruteforce Me/bruteforceme.py: -------------------------------------------------------------------------------- 1 | ll =[51, 54, 48, 51, 61, 57, 50, 54, 48, 52, 55, 50, 50, 57, 47, 52, 57, 47, 54, 24, 57, 58, 62] 2 | 3 | i = raw_input() 4 | ss= 0 5 | try: 6 | for ii in range(0,46 , 2): 7 | temp = i[ii:ii+2] 8 | temp = int(temp,0x10) 9 | ss+=temp 10 | temp >>=1 11 | if temp != ll[ii/2]: 12 | print "Something is wrong" 13 | if ss !=2406: 14 | print ss/0 15 | print "This flag may or may not work, can you find more ?" 16 | 17 | except: 18 | print "NO" 19 | -------------------------------------------------------------------------------- /CyberTalents/Competitions/Al-Azhar University Cybersecurity CTF Competition/Bruteforce Me/img1.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Revers3c-Team/CTF-writeups/95c1344a3f62d767b11152c0fcda1929f5af48c6/CyberTalents/Competitions/Al-Azhar University Cybersecurity CTF Competition/Bruteforce Me/img1.PNG -------------------------------------------------------------------------------- /CyberTalents/Competitions/Al-Azhar University Cybersecurity CTF Competition/Encipher/Encipher.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Revers3c-Team/CTF-writeups/95c1344a3f62d767b11152c0fcda1929f5af48c6/CyberTalents/Competitions/Al-Azhar University Cybersecurity CTF Competition/Encipher/Encipher.exe -------------------------------------------------------------------------------- /CyberTalents/Competitions/Al-Azhar University Cybersecurity CTF Competition/Encipher/README.md: -------------------------------------------------------------------------------- 1 | # Category 2 | Malware Reverse Engineering 3 | # Level 4 | Easy 5 | # Points 6 | 50 7 | # Description 8 | Decrypt this string `0a0c073c5a55072c117e442b0c60501627614efd` 9 | # File 10 | [Encipher.exe](https://github.com/Revers3c-Team/CTF-writeups/raw/master/CyberTalents/Competitions/Al-Azhar%20University%20Cybersecurity%20CTF%20Competition/Encipher/Encipher.exe) 11 | # Solution 12 | The file is x86 windows binary which will encrypt the input, so let's load it to IDA
13 | Our target function is `sub_4015C0` and it looks like this
14 | 15 | ```c++ 16 | int sub_4015C0() 17 | { 18 | FILE *File; // eax 19 | char *i; // eax 20 | signed int v3; // [esp+28h] [ebp-8h] 21 | signed int j; // [esp+2Ch] [ebp-4h] 22 | 23 | sub_401760(); 24 | printf("[+] Enter text to encipher : "); 25 | File = off_403024(0); 26 | fgets(Buf, 22, File); 27 | v3 = strlen(Buf) - 1; 28 | for ( i = Buf; *i; ++i ) 29 | { 30 | if ( i[1] == 10 ) 31 | { 32 | *i ^= 0x80u; 33 | break; 34 | } 35 | *i ^= i[1]; 36 | } 37 | printf("[+] Enciphered Text : "); 38 | for ( j = 0; j < v3; ++j ) 39 | printf("%x%x", (Buf[j] >> 4), Buf[j] & 0xF); 40 | getch(); 41 | return 0; 42 | } 43 | ``` 44 | 45 | Which does this
46 | 1) Reads from stdin a string limited to 22 chars, and stores its address to `Buf`
47 | 2) It loops through the input chars (from the start to the first null byte) and at every iteration it will
48 | a) Check if the next char ascii code is 10 (if the next char is '\n') and if so it xor the current char with 0x80 and breaks
49 | b) Xor current char with the next char
50 | 3) Prints the output in hex
51 | 52 | So basically all it's doing is xoring every char with the next one and at the last char it xor it with 0x80
53 | So to reverse this all we need to do is to xor the last char with 0x80 and make the same operation but in the inverse direction
54 | I made this script
55 | 56 | ```python 57 | >>> enc_flag = '0a0c073c5a55072c117e442b0c60501627614efd'.decode('hex') 58 | >>> flag = "" 59 | >>> ch = 0 60 | >>> for i in range(len(enc_flag))[::-1]: 61 | ... hex_ch = ord(enc_flag[i]) 62 | ... if i == len(enc_flag) - 1: 63 | ... ch = hex_ch ^ 0x80 64 | ... else: 65 | ... ch = hex_ch ^ ch 66 | ... flag += chr(ch) 67 | ... 68 | >>> print(flag[::-1]) 69 | FL@G{!ts_N0t_S3cuR3} 70 | ``` 71 | 72 | # Flag 73 | FL@G{!ts_N0t_S3cuR3} 74 | -------------------------------------------------------------------------------- /CyberTalents/Competitions/CyberTeam Company Internship CTF/Mobile App/mobapp.apk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Revers3c-Team/CTF-writeups/95c1344a3f62d767b11152c0fcda1929f5af48c6/CyberTalents/Competitions/CyberTeam Company Internship CTF/Mobile App/mobapp.apk -------------------------------------------------------------------------------- /CyberTalents/Competitions/CyberTeam Company Internship CTF/Say my Name/README.md: -------------------------------------------------------------------------------- 1 | # Category 2 | Malware Reverse Engineering 3 | # Level 4 | Medium 5 | # Points 6 | 100 7 | # Description 8 | Not Available 9 | # File 10 | [a.out](https://github.com/Revers3c-Team/CTF-writeups/raw/master/CyberTalents/Competitions/CyberTeam%20Company%20Internship%20CTF/Say%20my%20Name/a.out) 11 | # Solution 12 | The file is x86 non-stripped linux binary
13 | Let's load it into IDA
14 | Also I renamed some variables based on its functionality
15 | For the main function
16 | 17 | ![untitled](https://github.com/Revers3c-Team/CTF-writeups/raw/master/CyberTalents/Competitions/CyberTeam%20Company%20Internship%20CTF/Say%20my%20Name/img1.PNG) 18 | 19 | Which reads from the stdin two names `firstname` and `secondname` with limit of 7 chars only
20 | After that it starts a loop as follows
21 | 22 | ![untitled](https://github.com/Revers3c-Team/CTF-writeups/raw/master/CyberTalents/Competitions/CyberTeam%20Company%20Internship%20CTF/Say%20my%20Name/img2.PNG) 23 | 24 | It's so obvious that it loops from 0 to 6 (7 iterations) and at every iteration it will xor a char from `firstname` with its index-equivalent char from `secondname` and stores the result at `s1` array 25 | Let's continue
26 | 27 | ![untitled](https://github.com/Revers3c-Team/CTF-writeups/raw/master/CyberTalents/Competitions/CyberTeam%20Company%20Internship%20CTF/Say%20my%20Name/img3.PNG) 28 | 29 | At this point it checks if the array `s1` equals the array `unk_97F`
30 | `unk_97F`'s address is 0x97F (as ida names unknown memory pointers with their addresses)
31 | I dumped the value of this array (I need only 7 bytes) using idapython api with this command
32 | ```python 33 | >>> print([GetManyBytes(0x97F,7)]) 34 | ['\x05\x1d\r\x04\x10r\x00'] 35 | ``` 36 | After that it will decode the flag and print it
37 | 38 | So we have two ways:
39 | 1) Debug it and change the flow to the start of the decryption loop and set s1 array to `\x05\x1d\r\x04\x10r\x00`
40 | 2) Just figure out any two strings that if xored with each other will generate this array 41 | 42 | I used the second way, so I made this simple python script
43 | ```python 44 | >>> import subprocess 45 | >>> str1 = 'plapla1' 46 | >>> arr = '\x05\x1d\r\x04\x10r\x00' 47 | >>> str2 = ''.join(chr(ord(str1[i]) ^ ord(arr[i])) for i in range(7)) 48 | >>> process = subprocess.Popen(["./a.out"], stdin=subprocess.PIPE, stdout=subprocess.PIPE) 49 | >>> process.stdin.write(str1+str2) 50 | >>> print(process.communicate()[0]) 51 | Please enter your first name: 52 | Please enter your last name: 53 | Hello Boss, Here's your flag: 54 | FLAG{SO_MANY_XORS} 55 | ``` 56 | # Flag 57 | FLAG{SO_MANY_XORS} 58 | -------------------------------------------------------------------------------- /CyberTalents/Competitions/CyberTeam Company Internship CTF/Say my Name/a.out: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Revers3c-Team/CTF-writeups/95c1344a3f62d767b11152c0fcda1929f5af48c6/CyberTalents/Competitions/CyberTeam Company Internship CTF/Say my Name/a.out -------------------------------------------------------------------------------- /CyberTalents/Competitions/CyberTeam Company Internship CTF/Say my Name/img1.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Revers3c-Team/CTF-writeups/95c1344a3f62d767b11152c0fcda1929f5af48c6/CyberTalents/Competitions/CyberTeam Company Internship CTF/Say my Name/img1.PNG -------------------------------------------------------------------------------- /CyberTalents/Competitions/CyberTeam Company Internship CTF/Say my Name/img2.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Revers3c-Team/CTF-writeups/95c1344a3f62d767b11152c0fcda1929f5af48c6/CyberTalents/Competitions/CyberTeam Company Internship CTF/Say my Name/img2.PNG -------------------------------------------------------------------------------- /CyberTalents/Competitions/CyberTeam Company Internship CTF/Say my Name/img3.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Revers3c-Team/CTF-writeups/95c1344a3f62d767b11152c0fcda1929f5af48c6/CyberTalents/Competitions/CyberTeam Company Internship CTF/Say my Name/img3.PNG -------------------------------------------------------------------------------- /CyberTalents/Competitions/Egypt Universities CTF Competition/Elementary/README.md: -------------------------------------------------------------------------------- 1 | # Category 2 | Malware Reverse Engineering 3 | # Level 4 | Medium 5 | # Points 6 | 100 7 | # Description 8 | ```Here we've prepared a simple program, crack me if you can.``` 9 | # File 10 | [Elementary](https://raw.githubusercontent.com/Revers3c-Team/CTF-writeups/master/CyberTalents/Competitions/Egypt%20Universities%20CTF%20Competition/Elementary/elementary) 11 | # Solution 12 | First we binary architecture with `file` command 13 | ``` 14 | $ file elementary 15 | ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=d39e86cbb1ab3d21df90dda89aa7c1b27465d613, stripped 16 | ``` 17 | So it's x64 stripped linux binary
18 | We load it with IDA and modify the variables names
19 | The main function
20 | 21 | ![untitled](https://github.com/Revers3c-Team/CTF-writeups/raw/master/CyberTalents/Competitions/Egypt%20Universities%20CTF%20Competition/Elementary/img1.PNG) 22 | 23 | From that we understand that it will read from stdin into two pointers username and password
24 | After that it will pass the two pointers as arguments to func1 and further checks for the return status code stored at `eax`
25 | 26 | The func1 function 27 | 28 | ![untitled](https://github.com/Revers3c-Team/CTF-writeups/raw/master/CyberTalents/Competitions/Egypt%20Universities%20CTF%20Competition/Elementary/img2.PNG) 29 | 30 | It's obvious that it will check the password if it equals `N1C3Tryy` and prints `nice!` if so overlooking the username
31 | So we got our flag
32 | # Flag 33 | N1C3Tryy 34 | -------------------------------------------------------------------------------- /CyberTalents/Competitions/Egypt Universities CTF Competition/Elementary/elementary: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Revers3c-Team/CTF-writeups/95c1344a3f62d767b11152c0fcda1929f5af48c6/CyberTalents/Competitions/Egypt Universities CTF Competition/Elementary/elementary -------------------------------------------------------------------------------- /CyberTalents/Competitions/Egypt Universities CTF Competition/Elementary/img1.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Revers3c-Team/CTF-writeups/95c1344a3f62d767b11152c0fcda1929f5af48c6/CyberTalents/Competitions/Egypt Universities CTF Competition/Elementary/img1.PNG -------------------------------------------------------------------------------- /CyberTalents/Competitions/Egypt Universities CTF Competition/Elementary/img2.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Revers3c-Team/CTF-writeups/95c1344a3f62d767b11152c0fcda1929f5af48c6/CyberTalents/Competitions/Egypt Universities CTF Competition/Elementary/img2.PNG -------------------------------------------------------------------------------- /CyberTalents/Competitions/Egypt Universities CTF Competition/Good Package/README.md: -------------------------------------------------------------------------------- 1 | # Category 2 | Malware Reverse Engineering 3 | # Level 4 | Easy 5 | # Points 6 | 50 7 | # Description 8 | ```This is not a good package``` 9 | # File 10 | [simple.exe](https://github.com/Revers3c-Team/CTF-writeups/blob/master/CyberTalents/Competitions/Egypt%20Universities%20CTF%20Competition/Good%20Package/simple.exe) 11 | # Solution 12 | The file is x86 windows binary compiled with its debugging information
13 | So we load it into IDA
14 | 15 | The main function 16 | 17 | ![untitled](https://github.com/Revers3c-Team/CTF-writeups/raw/master/CyberTalents/Competitions/Egypt%20Universities%20CTF%20Competition/Good%20Package/img1.PNG) 18 | 19 | Actully the flag value is dynamically initialized as shown
20 | To convert any hex value to ascii string in python
21 | ```python 22 | >>> print("67616C66".decode('hex')[::-1]) 23 | flag 24 | ``` 25 | 26 | So we have our flag 27 | # Flag 28 | flag{B4sics_4r3_ManDat0ry} 29 | -------------------------------------------------------------------------------- /CyberTalents/Competitions/Egypt Universities CTF Competition/Good Package/img1.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Revers3c-Team/CTF-writeups/95c1344a3f62d767b11152c0fcda1929f5af48c6/CyberTalents/Competitions/Egypt Universities CTF Competition/Good Package/img1.PNG -------------------------------------------------------------------------------- /CyberTalents/Competitions/Egypt Universities CTF Competition/Good Package/simple.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Revers3c-Team/CTF-writeups/95c1344a3f62d767b11152c0fcda1929f5af48c6/CyberTalents/Competitions/Egypt Universities CTF Competition/Good Package/simple.exe -------------------------------------------------------------------------------- /CyberTalents/Competitions/Egypt Universities CTF Competition/Reverse Me/README.md: -------------------------------------------------------------------------------- 1 | # Category 2 | Malware Reverse Engineering 3 | # Level 4 | Medium 5 | # Points 6 | 100 7 | # Description 8 | ```Developer thinks he can code better than us, lets prove him wrong!``` 9 | # File 10 | [messedup.jar](https://github.com/Revers3c-Team/CTF-writeups/raw/master/CyberTalents/Competitions/Egypt%20Universities%20CTF%20Competition/Reverse%20Me/messedup.jar) 11 | # Solution 12 | To-Do 13 | # Flag 14 | To-Do 15 | -------------------------------------------------------------------------------- /CyberTalents/Competitions/Egypt Universities CTF Competition/Reverse Me/messedup.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Revers3c-Team/CTF-writeups/95c1344a3f62d767b11152c0fcda1929f5af48c6/CyberTalents/Competitions/Egypt Universities CTF Competition/Reverse Me/messedup.jar -------------------------------------------------------------------------------- /CyberTalents/Competitions/Egypt Universities CTF Competition/XO/README.md: -------------------------------------------------------------------------------- 1 | # Category 2 | Malware Reverse Engineering 3 | # Level 4 | Medium 5 | # Points 6 | 100 7 | # Description 8 | ```i am dead in the code find me``` 9 | # File 10 | [tic](https://github.com/Revers3c-Team/CTF-writeups/blob/master/CyberTalents/Competitions/Egypt%20Universities%20CTF%20Competition/XO/tic?raw=true) 11 | # Solution 12 | The binary is a non-stripped x64 linux binary
13 | So we load it in IDA
14 | The pseudo-code for main is
15 | ```c++ 16 | int __cdecl main(int argc, const char **argv, const char **envp) 17 | { 18 | unsigned int v3; // eax 19 | char v4; // al 20 | int v6; // [rsp+0h] [rbp-10h] 21 | int v7; // [rsp+4h] [rbp-Ch] 22 | char v8; // [rsp+Bh] [rbp-5h] 23 | unsigned int v9; // [rsp+Ch] [rbp-4h] 24 | 25 | v9 = 1; 26 | do 27 | { 28 | board(); 29 | if ( v9 & 1 ) 30 | v3 = 1; 31 | else 32 | v3 = 2; 33 | v9 = v3; 34 | printf("Player %d, enter a number: ", v3); 35 | __isoc99_scanf("%d", &v6); 36 | if ( v9 == 1 ) 37 | v4 = 88; 38 | else 39 | v4 = 79; 40 | v8 = v4; 41 | if ( v6 != 1 || byte_4059 != 49 ) 42 | { 43 | if ( v6 != 2 || byte_405A != 50 ) 44 | { 45 | if ( v6 != 3 || byte_405B != 51 ) 46 | { 47 | if ( v6 != 4 || byte_405C != 52 ) 48 | { 49 | if ( v6 != 5 || byte_405D != 53 ) 50 | { 51 | if ( v6 != 6 || byte_405E != 54 ) 52 | { 53 | if ( v6 != 7 || byte_405F != 55 ) 54 | { 55 | if ( v6 != 8 || byte_4060 != 56 ) 56 | { 57 | if ( v6 != 9 || byte_4061 != 57 ) 58 | { 59 | printf("Invalid move ", &v6); 60 | --v9; 61 | getch(); 62 | } 63 | else 64 | { 65 | byte_4061 = v8; 66 | } 67 | } 68 | else 69 | { 70 | byte_4060 = v8; 71 | } 72 | } 73 | else 74 | { 75 | byte_405F = v8; 76 | } 77 | } 78 | else 79 | { 80 | byte_405E = v8; 81 | } 82 | } 83 | else 84 | { 85 | byte_405D = v8; 86 | } 87 | } 88 | else 89 | { 90 | byte_405C = v8; 91 | } 92 | } 93 | else 94 | { 95 | byte_405B = v8; 96 | } 97 | } 98 | else 99 | { 100 | byte_405A = v8; 101 | } 102 | } 103 | else 104 | { 105 | byte_4059 = v8; 106 | } 107 | v7 = checkwin(); 108 | ++v9; 109 | } 110 | while ( v7 == -1 ); 111 | board(); 112 | if ( v7 == 2 ) 113 | mem(); 114 | if ( v7 == 1 ) 115 | printf("==>\aPlayer %d win ", --v9); 116 | else 117 | printf("==>\aGame draw", &v6); 118 | getch(); 119 | return 0; 120 | } 121 | ``` 122 | This is a kind of XO game and the flag is not related with it at all
123 | We first spot the different functions
124 | for function `board`
125 | ```c++ 126 | int board() 127 | { 128 | system("cls"); 129 | puts("\n\n\tTic Tac Toe\n"); 130 | puts("Player 1 (X) - Player 2 (O)\n\n"); 131 | puts(" | | "); 132 | printf(" %c | %c | %c \n", byte_4059, byte_405A, byte_405B); 133 | puts("_____|_____|_____"); 134 | puts(" | | "); 135 | printf(" %c | %c | %c \n", byte_405C, byte_405D, byte_405E); 136 | puts("_____|_____|_____"); 137 | puts(" | | "); 138 | printf(" %c | %c | %c \n", byte_405F, byte_4060, byte_4061); 139 | return puts(" | | \n"); 140 | } 141 | ``` 142 | It is just a part of the game
143 | And the same thing for function `checkwin`
144 | For the function `mem` (will be executed at some condition)
145 | ```c++ 146 | int mem() 147 | { 148 | size_t v0; // rbx 149 | char v2[32]; // [rsp+0h] [rbp-90h] 150 | char v3; // [rsp+20h] [rbp-70h] 151 | char v4; // [rsp+21h] [rbp-6Fh] 152 | char v5; // [rsp+22h] [rbp-6Eh] 153 | char v6; // [rsp+23h] [rbp-6Dh] 154 | char v7; // [rsp+24h] [rbp-6Ch] 155 | char v8; // [rsp+25h] [rbp-6Bh] 156 | char v9; // [rsp+26h] [rbp-6Ah] 157 | char v10; // [rsp+27h] [rbp-69h] 158 | char v11; // [rsp+28h] [rbp-68h] 159 | char v12; // [rsp+29h] [rbp-67h] 160 | char v13; // [rsp+2Ah] [rbp-66h] 161 | char v14; // [rsp+2Bh] [rbp-65h] 162 | char v15; // [rsp+2Ch] [rbp-64h] 163 | char v16; // [rsp+2Dh] [rbp-63h] 164 | char v17; // [rsp+2Eh] [rbp-62h] 165 | char v18; // [rsp+2Fh] [rbp-61h] 166 | char v19; // [rsp+30h] [rbp-60h] 167 | char v20; // [rsp+31h] [rbp-5Fh] 168 | char v21; // [rsp+32h] [rbp-5Eh] 169 | char v22; // [rsp+33h] [rbp-5Dh] 170 | char v23; // [rsp+34h] [rbp-5Ch] 171 | char v24; // [rsp+35h] [rbp-5Bh] 172 | char v25; // [rsp+36h] [rbp-5Ah] 173 | char v26; // [rsp+37h] [rbp-59h] 174 | char v27; // [rsp+38h] [rbp-58h] 175 | char v28; // [rsp+39h] [rbp-57h] 176 | char v29; // [rsp+3Ah] [rbp-56h] 177 | char v30; // [rsp+3Bh] [rbp-55h] 178 | char v31; // [rsp+3Ch] [rbp-54h] 179 | char v32; // [rsp+3Dh] [rbp-53h] 180 | char v33; // [rsp+3Eh] [rbp-52h] 181 | char v34; // [rsp+3Fh] [rbp-51h] 182 | char v35; // [rsp+40h] [rbp-50h] 183 | char v36; // [rsp+41h] [rbp-4Fh] 184 | char s; // [rsp+50h] [rbp-40h] 185 | char v38; // [rsp+51h] [rbp-3Fh] 186 | char v39; // [rsp+52h] [rbp-3Eh] 187 | char v40; // [rsp+53h] [rbp-3Dh] 188 | char v41; // [rsp+54h] [rbp-3Ch] 189 | char v42; // [rsp+55h] [rbp-3Bh] 190 | char v43; // [rsp+56h] [rbp-3Ah] 191 | char v44; // [rsp+57h] [rbp-39h] 192 | char v45; // [rsp+58h] [rbp-38h] 193 | char v46; // [rsp+59h] [rbp-37h] 194 | char v47; // [rsp+5Ah] [rbp-36h] 195 | char v48; // [rsp+5Bh] [rbp-35h] 196 | char v49; // [rsp+5Ch] [rbp-34h] 197 | char v50; // [rsp+5Dh] [rbp-33h] 198 | char v51; // [rsp+5Eh] [rbp-32h] 199 | char v52; // [rsp+5Fh] [rbp-31h] 200 | char v53; // [rsp+60h] [rbp-30h] 201 | char v54; // [rsp+61h] [rbp-2Fh] 202 | char v55; // [rsp+62h] [rbp-2Eh] 203 | char v56; // [rsp+63h] [rbp-2Dh] 204 | char v57; // [rsp+64h] [rbp-2Ch] 205 | char v58; // [rsp+65h] [rbp-2Bh] 206 | char v59; // [rsp+66h] [rbp-2Ah] 207 | char v60; // [rsp+67h] [rbp-29h] 208 | char v61; // [rsp+68h] [rbp-28h] 209 | char v62; // [rsp+69h] [rbp-27h] 210 | char v63; // [rsp+6Ah] [rbp-26h] 211 | char v64; // [rsp+6Bh] [rbp-25h] 212 | char v65; // [rsp+6Ch] [rbp-24h] 213 | char v66; // [rsp+6Dh] [rbp-23h] 214 | char v67; // [rsp+6Eh] [rbp-22h] 215 | char v68; // [rsp+6Fh] [rbp-21h] 216 | char v69; // [rsp+70h] [rbp-20h] 217 | char v70; // [rsp+71h] [rbp-1Fh] 218 | char v71; // [rsp+7Bh] [rbp-15h] 219 | int i; // [rsp+7Ch] [rbp-14h] 220 | 221 | s = 49; 222 | v38 = 50; 223 | v39 = 51; 224 | v40 = 52; 225 | v41 = 53; 226 | v42 = 54; 227 | v43 = 55; 228 | v44 = 56; 229 | v45 = 57; 230 | v46 = 49; 231 | v47 = 50; 232 | v48 = 51; 233 | v49 = 52; 234 | v50 = 53; 235 | v51 = 54; 236 | v52 = 55; 237 | v53 = 56; 238 | v54 = 57; 239 | v55 = 49; 240 | v56 = 50; 241 | v57 = 51; 242 | v58 = 52; 243 | v59 = 53; 244 | v60 = 54; 245 | v61 = 55; 246 | v62 = 56; 247 | v63 = 57; 248 | v64 = 49; 249 | v65 = 50; 250 | v66 = 51; 251 | v67 = 52; 252 | v68 = 53; 253 | v69 = 54; 254 | v70 = 55; 255 | v3 = 119; 256 | v4 = 94; 257 | v5 = 82; 258 | v6 = 83; 259 | v7 = 78; 260 | v8 = 101; 261 | v9 = 67; 262 | v10 = 12; 263 | v11 = 109; 264 | v12 = 88; 265 | v13 = 113; 266 | v14 = 108; 267 | v15 = 0; 268 | v16 = 91; 269 | v17 = 2; 270 | v18 = 123; 271 | v19 = 97; 272 | v20 = 74; 273 | v21 = 120; 274 | v22 = 65; 275 | v23 = 108; 276 | v24 = 5; 277 | v25 = 70; 278 | v26 = 105; 279 | v27 = 6; 280 | v28 = 85; 281 | v29 = 73; 282 | v30 = 1; 283 | v31 = 64; 284 | v32 = 71; 285 | v33 = 0; 286 | v34 = 91; 287 | v35 = 66; 288 | v36 = 74; 289 | for ( i = 0; ; ++i ) 290 | { 291 | v0 = i; 292 | if ( v0 >= 2 * strlen(&s) + 1 ) 293 | break; 294 | v71 = *(&v3 + i) ^ *(&s + i); 295 | v2[i] = v71; 296 | } 297 | v2[i] = 0; 298 | return printf("%s \n", v2); 299 | } 300 | ``` 301 | Which is unrelated with the game
302 | Here we have `&v3` a pointer to the array `{v3,v4,v5,v6,v7,v8,....}` one-char for each item
303 | And `&s` is a pointer to the array `{s,v38,v39,v40,v41,v42,....}` one char for each item
304 | Also we have `*(&v3 + i)` equals `&v3[i]` and `*(&s + i)` equals `&s[i]`
305 | And `strlen(&s)` will be 46 because the null terminator 0x00 will be at `v15`
306 | So the value `2 * strlen(&s) + 1` will be 93 that is a strange thing for the loop as the size of `v2` is just 32 so the process may crash at running this function
307 | After all we know that the loop will just xor the first array with the second one
308 | So with simple script we can get the result of that operation which is just the flag
309 | 310 | ```python 311 | >>> print(''.join(chr(i^ii) for i,ii in zip([49,50,51,52,53,54,55,56,57,49,50,51,52,53,54,55,56,57,49,50,51,52,53,54,55,56,57,49,50,51,52,53,54,55],[119,94,82,83,78,101,67,12,109,88,113,108,0,91,2,123,97,74,120,65,108,5,70,105,6,85,73,1,64,71,0,91,66,74]))) 312 | Flag{St4TiC_4n4LYsIs_1s_1mp0rt4nt} 313 | ``` 314 | 315 | # Flag 316 | Flag{St4TiC_4n4LYsIs_1s_1mp0rt4nt} 317 | 318 | -------------------------------------------------------------------------------- /CyberTalents/Competitions/Egypt Universities CTF Competition/XO/tic: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Revers3c-Team/CTF-writeups/95c1344a3f62d767b11152c0fcda1929f5af48c6/CyberTalents/Competitions/Egypt Universities CTF Competition/XO/tic -------------------------------------------------------------------------------- /CyberTalents/Competitions/HITB2018DXB Pre-Conf CTF/Math Master/README.md: -------------------------------------------------------------------------------- 1 | # Category 2 | Malware Reverse Engineering 3 | # Level 4 | Medium 5 | # Points 6 | 100 7 | # Description 8 | Not Available 9 | # File 10 | [mathmaster](https://github.com/Revers3c-Team/CTF-writeups/raw/master/CyberTalents/Competitions/HITB2018DXB%20Pre-Conf%20CTF/Math%20Master/mathmaster 11 | ) 12 | # Solution 13 | The file is x64 non-stripped linux binary so let's load it to IDA
14 | I also used HexRays decompiler to get its c pseudo-code
15 | For the main function we have
16 | 17 | ```c++ 18 | int __cdecl main(int argc, const char **argv, const char **envp) 19 | { 20 | int result; // eax 21 | 22 | if ( argc == 2 ) 23 | { 24 | if ( strlen(argv[1]) == 11 ) 25 | { 26 | if ( check(argv[1]) ) 27 | printf("flag{%s}\n", argv[1], argv); 28 | else 29 | puts("Wrong"); 30 | result = 0; 31 | } 32 | else 33 | { 34 | puts("Please check the input length."); 35 | result = -1; 36 | } 37 | } 38 | else 39 | { 40 | puts("Please check the input value."); 41 | result = -1; 42 | } 43 | return result; 44 | } 45 | ``` 46 | 47 | Which does this
48 | 1) Make sure you passed at least one argument to it
49 | 2) Make sure the length of the first argument is 11
50 | 3) If so it will pass it to check function and print it as the right flag in case of non-zero return
51 | 52 | For the function `check`
53 | 54 | ```c++ 55 | _BOOL8 __fastcall check(char *a1) 56 | { 57 | if ( (*a1 ^ 0x4D) != (a1[10] != 82) ) 58 | return 0LL; 59 | if ( *a1 * a1[1] != 4004 ) 60 | return 0LL; 61 | if ( a1[1] * a1[2] != 6032 ) 62 | return 0LL; 63 | if ( a1[2] * a1[3] != 8352 ) 64 | return 0LL; 65 | if ( a1[3] + a1[4] != 167 ) 66 | return 0LL; 67 | if ( a1[4] + a1[5] != 172 ) 68 | return 0LL; 69 | if ( a1[5] + a1[6] != 141 ) 70 | return 0LL; 71 | if ( 102 * a1[6] + 32 * a1[7] - 13 * a1[8] != 8700 sympy) 72 | return 0LL; 73 | if ( *a1 * a1[7] * a1[1] != 460460 ) 74 | return 0LL; 75 | if ( a1[2] * a1[8] * a1[3] != 968832 ) 76 | return 0LL; 77 | if ( a1[4] * a1[9] * a1[5] == 373065 ) 78 | return a1[2] * a1[10] + a1[7] == 9627; 79 | return 0LL; 80 | } 81 | ``` 82 | 83 | The code here is quite simple except for some points
84 | 1) `*a1` is just `a1[0]`
85 | 2) We need to pass all the conditions without return 0 so all conditions have to be false (except the last one)
86 | 3) For example the first condition, both sides have to equal, but `(a1[10] != 82)` returns 0 or 1 and `(*a1 ^ 0x4D)` may return a range of numbers including 0 and 1 so there's two possibilities here
87 | a) Both are 1 but in this case we cannot get a[10] because it will be indeterminate
88 | b) Both are 0 and in this case we can get `a[0]` and `a[10]`
89 | 90 | To solve this system of equations I used sage math
91 | 92 | ```python 93 | from sage.all import * 94 | 95 | _ = var(' '.join([('a%d') % i for i in range(11)])) 96 | 97 | s = solve([ 98 | a10 == 82, 99 | a0 * a1 == 4004, 100 | a1 * a2 == 6032, 101 | a2 * a3 == 8352, 102 | a3 + a4 == 167, 103 | a4 + a5 == 172, 104 | a5 + a6 == 141, 105 | 102 * a6 + 32 * a7 - 13 * a8 == 8700, 106 | a0 * a7 * a1 == 460460, 107 | a2 * a8 * a3 == 968832, 108 | a4 * a9 * a5 == 373065, 109 | a2 * a10 + a7 == 9627 110 | ],a0, a1, a2, a3, a4, a5, a6, a7, a8, a9, a10) 111 | 112 | flag = "flag{" 113 | for i in s[0]: 114 | flag += chr(int(str(i).split('==')[1])) 115 | 116 | flag += "}" 117 | 118 | print(flag) 119 | ``` 120 | 121 | We can also solve it with z3
122 | 123 | ```python 124 | from z3 import * 125 | 126 | a = [Int('a[%d]' %i) for i in range(0,11)] 127 | 128 | s = Solver() 129 | s.add( 130 | a[10] == 82, 131 | a[0] * a[1] == 4004, 132 | a[1] * a[2] == 6032, 133 | a[2] * a[3] == 8352, 134 | a[3] + a[4] == 167, 135 | a[4] + a[5] == 172, 136 | a[5] + a[6] == 141, 137 | 102 * a[6] + 32 * a[7] - 13 * a[8] == 8700, 138 | a[0] * a[7] * a[1] == 460460, 139 | a[2] * a[8] * a[3] == 968832, 140 | a[4] * a[9] * a[5] == 373065, 141 | a[2] * a[10] + a[7] == 9627 142 | ) 143 | 144 | _ = s.check() 145 | 146 | flag = "flag{" 147 | for i in range(len(a)): 148 | flag += chr(int(str(s.model()[a[i]]))) 149 | 150 | flag += "}" 151 | 152 | print(flag) 153 | ``` 154 | 155 | We can also use sympy
156 | 157 | ```python 158 | from sympy import * 159 | 160 | for i in range(11): exec("a{0} = symbols('a{0}')".format(i)) 161 | 162 | s = solve([ 163 | a10 -82, 164 | a0 * a1 - 4004, 165 | a1 * a2 - 6032, 166 | a2 * a3 - 8352, 167 | a3 + a4 - 167, 168 | a4 + a5 - 172, 169 | a5 + a6 - 141, 170 | 102 * a6 + 32 * a7 - 13 * a8 - 8700, 171 | a0 * a7 * a1 - 460460, 172 | a2 * a8 * a3 - 968832, 173 | a4 * a9 * a5 - 373065, 174 | a2 * a10 + a7 - 9627 175 | ], [a0, a1, a2, a3, a4, a5, a6, a7, a8, a9, a10]) 176 | 177 | flag = "flag{" 178 | for i in s[0]: 179 | flag += chr(int(i)) 180 | 181 | flag += "}" 182 | 183 | print(flag) 184 | ``` 185 | 186 | # Flag 187 | flag{M4tH_M@st3R} 188 | -------------------------------------------------------------------------------- /CyberTalents/Competitions/HITB2018DXB Pre-Conf CTF/Math Master/mathmaster: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Revers3c-Team/CTF-writeups/95c1344a3f62d767b11152c0fcda1929f5af48c6/CyberTalents/Competitions/HITB2018DXB Pre-Conf CTF/Math Master/mathmaster -------------------------------------------------------------------------------- /CyberTalents/Competitions/HITB2018DXB Pre-Conf CTF/math is your friend/README.md: -------------------------------------------------------------------------------- 1 | # Category 2 | Malware Reverse Engineering 3 | # Level 4 | Hard 5 | # Points 6 | 200 7 | # Description 8 | Not Available 9 | # File 10 | [rev200](https://github.com/Revers3c-Team/CTF-writeups/blob/master/CyberTalents/Competitions/HITB2018DXB%20Pre-Conf%20CTF/math%20is%20your%20friend/rev200) 11 | # Solution 12 | The file is x64 non-stripped linux binary so let's load it to IDA
13 | I also used HexRays decompiler to get its c pseudo-code
14 | For the main function we have
15 | 16 | ```c++ 17 | int __cdecl main(int argc, const char **argv, const char **envp) 18 | { 19 | int result; // eax 20 | int v4; // [rsp+1Ch] [rbp-4h] 21 | 22 | if ( argc > 1 ) 23 | { 24 | v4 = check_password(argv[1], argv, envp); 25 | if ( v4 == -1 ) 26 | { 27 | puts("Wrong password: at least look at disassembly"); 28 | result = 2; 29 | } 30 | else if ( v4 == -2 ) 31 | { 32 | puts("Wrong password: hint, it's a matrix"); 33 | result = 3; 34 | } 35 | else 36 | { 37 | if ( !v4 ) 38 | { 39 | puts("Congratulations!!!"); 40 | print_password(argv[1]); 41 | } 42 | result = 0; 43 | } 44 | } 45 | else 46 | { 47 | printf("Usage: %s \n", *argv, envp, argv); 48 | result = 1; 49 | } 50 | return result; 51 | } 52 | ``` 53 | 54 | Which does this 55 | 1) Make sure you passed at least one argument to it
56 | 2) Pass the first argument to `check_password`, and make some conditions based on the return
57 | 3) Our target is `print_password` so the return should be 0
58 | 4) We do not have to understand how print_password works, all we need to is to bypass `check_password`
59 | 60 | For `check_passeord` we have 61 | 62 | ```c++ 63 | signed __int64 __fastcall check_password(const char *a1) 64 | { 65 | signed int i; // [rsp+10h] [rbp-30h] 66 | signed int j; // [rsp+14h] [rbp-2Ch] 67 | int v4; // [rsp+18h] [rbp-28h] 68 | signed int k; // [rsp+1Ch] [rbp-24h] 69 | char v6; // [rsp+20h] [rbp-20h] 70 | char v7; // [rsp+21h] [rbp-1Fh] 71 | char v8; // [rsp+22h] [rbp-1Eh] 72 | char v9; // [rsp+23h] [rbp-1Dh] 73 | char v10; // [rsp+24h] [rbp-1Ch] 74 | char v11; // [rsp+25h] [rbp-1Bh] 75 | char v12; // [rsp+26h] [rbp-1Ah] 76 | char v13; // [rsp+27h] [rbp-19h] 77 | char v14; // [rsp+28h] [rbp-18h] 78 | unsigned __int64 v15; // [rsp+38h] [rbp-8h] 79 | 80 | v15 = __readfsqword(0x28u); 81 | v6 = 79; 82 | v7 = 8; 83 | v8 = 29; 84 | v9 = 58; 85 | v10 = 81; 86 | v11 = 21; 87 | v12 = 49; 88 | v13 = 123; 89 | v14 = 114; 90 | if ( strlen(a1) != 9 ) 91 | return 0xFFFFFFFFLL; 92 | for ( i = 0; i <= 2; ++i ) 93 | { 94 | for ( j = 0; j <= 2; ++j ) 95 | { 96 | v4 = 0; 97 | for ( k = 0; k <= 2; ++k ) 98 | v4 = (a1[3 * k + j] * *(&v6 + 3 * i + k) + v4) % 127; 99 | if ( i == j ) 100 | { 101 | if ( v4 != 1 ) 102 | return 4294967294LL; 103 | } 104 | else if ( v4 ) 105 | { 106 | return 4294967294LL; 107 | } 108 | } 109 | } 110 | return 0LL; 111 | } 112 | ``` 113 | 114 | Which does this 115 | 1) We have this array `&v6 = {79,8,29,58,81,21,49,123,114}`
116 | 2) Make sure length of `a1` (our input) is 9 if not returns 0xFFFFFFFF which is -1
117 | 3) Start a loop and a nested loop with `i` and `j` in range 0 to 2
118 | 4) Start another nested loop with `k` in range 0 to 2, assign `v4` to be 0, and make some operations on it
119 | 5) We need to know that `*(&v6 + 3 * i + k) = &v6[k+3*i]`
120 | 6) Make some conditions on `v4`
121 | 7) If failed, it returns 4294967294 which is -2
122 | 123 | Now we know that `v4` should be 1 when `i == j` and should be 0 at `i != j`
124 | 125 | I made this script to solve it
126 | 127 | ```python 128 | v6 = [79,8,29,58,81,21,49,123,114] 129 | equs = [] 130 | for i in range(3): 131 | for j in range(3): 132 | v4 = "0" 133 | if i == j: v4 = "1" 134 | equ = "0" 135 | for k in range(3): 136 | equ = "(a%d * %d + %s) %% 127" % (3 * k + j, v6[3 * i + k], equ) 137 | equ += " == " + v4 138 | equs.append(equ) 139 | 140 | print("We need to solve this system of equations") 141 | for equ in equs: print(equ) 142 | 143 | print("We solve 3 equations with 3 variables (every variable in range of 33 -- 126) each time") 144 | ii = 0 145 | password = {} 146 | for _ in range(3): 147 | check = [] 148 | for equ in equs[ii::3]: 149 | check.append(equ) 150 | check = " and ".join(check) 151 | exec(""" 152 | solved = False 153 | for a{0} in range(33,127): 154 | for a{1} in range(33,127): 155 | for a{2} in range(33,127): 156 | if solved: break 157 | if {3}: 158 | password[{0}] = a{0} 159 | password[{1}] = a{1} 160 | password[{2}] = a{2} 161 | solved = True 162 | 163 | """.format(ii,3+ii,6+ii,check)) 164 | ii += 1 165 | print("The password is:"), 166 | print("".join([chr(i) for i in [password.get(ii) for ii in list(set(password.keys()))]])) 167 | print("Now run it again with ./rev200 \"\"") 168 | ``` 169 | 170 | # Flag 171 | flag{d1scr337_math_1s_gr3at} 172 | -------------------------------------------------------------------------------- /CyberTalents/Competitions/HITB2018DXB Pre-Conf CTF/math is your friend/rev200: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Revers3c-Team/CTF-writeups/95c1344a3f62d767b11152c0fcda1929f5af48c6/CyberTalents/Competitions/HITB2018DXB Pre-Conf CTF/math is your friend/rev200 -------------------------------------------------------------------------------- /CyberTalents/Competitions/Helwan University CTF Competition/Encipher/README.md: -------------------------------------------------------------------------------- 1 | # Link 2 | Already solved at [Al-Azhar University Cybersecurity CTF Competition](https://github.com/Revers3c-Team/CTF-writeups/tree/master/CyberTalents/Competitions/Al-Azhar%20University%20Cybersecurity%20CTF%20Competition/Encipher) 3 | -------------------------------------------------------------------------------- /CyberTalents/Competitions/Helwan University CTF Competition/simple reverse/README.md: -------------------------------------------------------------------------------- 1 | # Category 2 | Malware Reverse Engineering 3 | # Level 4 | Medium 5 | # Points 6 | 100 7 | # Description 8 | `Only a plaintext password would be easier...` 9 | # File 10 | [simple_reverse](https://github.com/Revers3c-Team/CTF-writeups/raw/master/CyberTalents/Competitions/Helwan%20University%20CTF%20Competition/simple%20reverse/simple_reverse) 11 | # Solution 12 | The file is x64 non-stripped linux binary, so I loaded it to IDA
13 | For the main function we have
14 | 15 | ![untitled](https://github.com/Revers3c-Team/CTF-writeups/raw/master/CyberTalents/Competitions/Helwan%20University%20CTF%20Competition/simple%20reverse/img1.PNG) 16 | 17 | It requires an input, then it checks it with `check_password`, and it should return zero to print the flag
18 | So I'm going to reverse this function to get the right password
19 | 20 | ```c++ 21 | signed __int64 __fastcall check_password(const char *a1) 22 | { 23 | signed int i; // [rsp+18h] [rbp-28h] 24 | __int64 v3; // [rsp+20h] [rbp-20h] 25 | __int64 v4; // [rsp+28h] [rbp-18h] 26 | __int16 v5; // [rsp+30h] [rbp-10h] 27 | unsigned __int64 v6; // [rsp+38h] [rbp-8h] 28 | 29 | v6 = __readfsqword(0x28u); 30 | v3 = -5480071635338481426LL; 31 | v4 = -5482867658982444575LL; 32 | v5 = 242; 33 | if ( strlen(a1) != 17 ) 34 | return 0xFFFFFFFFLL; 35 | for ( i = 0; i <= 16; ++i ) 36 | { 37 | if ( *(&v3 + i) != (a1[i] ^ 0x80) ) 38 | return 0xFFFFFFFFLL; 39 | } 40 | return 0LL; 41 | } 42 | ``` 43 | 44 | We have some important points here
45 | 1) The password length has to be 17 46 | 2) `*(&v3 + i)` is `&v3[i]`
47 | 3) We have an array pointer `&v3` that can be converted to list using this python snippet 48 | 49 | ```python 50 | # run with python2 51 | def signed_int_to_bytes(signed_int,size): 52 | # Little-endian 53 | string = hex(signed_int & (2**(8*size)-1)) 54 | string = string.replace('L','').replace('0x','') 55 | if len(string) % 2: 56 | string = '0' + string 57 | string = string.decode('hex') 58 | string = string[::-1] 59 | return string 60 | 61 | v3 = [] 62 | v3 += signed_int_to_bytes(-5480071635338481426,8) 63 | v3 += signed_int_to_bytes(-5482867658982444575,8) 64 | v3 += signed_int_to_bytes(242,8) 65 | print(v3) 66 | ``` 67 | 68 | So it will be `['\xee', '\xb0', '\xf4', '\xdf', '\xe1', '\xdf', '\xf2', '\xb3', '\xe1', '\xb1', '\xdf', '\xe3', '\xe9', '\xf0', '\xe8', '\xb3', '\xf2']`
69 | 70 | To get the password
71 | 72 | ```python 73 | >>> v3 = ['\xee', '\xb0', '\xf4', '\xdf', '\xe1', '\xdf', '\xf2', '\xb3', '\xe1', '\xb1', '\xdf', '\xe3', '\xe9', '\xf0', '\xe8', '\xb3', '\xf2'] 74 | >>> password = "" 75 | >>> for i in v3: 76 | ... password += chr(ord(i) ^ 0x80) 77 | ... 78 | >>> print(password) 79 | n0t_a_r3a1_ciph3r 80 | ``` 81 | 82 | Now use it to get the flag
83 | 84 | # Flag 85 | flag{xor_is_pretty_simple} 86 | 87 | -------------------------------------------------------------------------------- /CyberTalents/Competitions/Helwan University CTF Competition/simple reverse/img1.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Revers3c-Team/CTF-writeups/95c1344a3f62d767b11152c0fcda1929f5af48c6/CyberTalents/Competitions/Helwan University CTF Competition/simple reverse/img1.PNG -------------------------------------------------------------------------------- /CyberTalents/Competitions/Helwan University CTF Competition/simple reverse/simple_reverse: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Revers3c-Team/CTF-writeups/95c1344a3f62d767b11152c0fcda1929f5af48c6/CyberTalents/Competitions/Helwan University CTF Competition/simple reverse/simple_reverse -------------------------------------------------------------------------------- /CyberTalents/Competitions/Lebanese American University CTF/ezez keygen/README.md: -------------------------------------------------------------------------------- 1 | # Link 2 | Already solved at [MIU CTF Competition](https://github.com/Revers3c-Team/CTF-writeups/tree/master/CyberTalents/Competitions/MIU%20CTF%20Competition/ezez%20keygen) 3 | -------------------------------------------------------------------------------- /CyberTalents/Competitions/MIU CTF Competition/ezez keygen/README.md: -------------------------------------------------------------------------------- 1 | # Category 2 | Malware Reverse Engineering 3 | # Level 4 | Medium 5 | # Points 6 | 100 7 | # Description 8 | Not Available 9 | # File 10 | [ezez_keygen](https://github.com/Revers3c-Team/CTF-writeups/raw/master/CyberTalents/Competitions/MIU%20CTF%20Competition/ezez%20keygen/ezez_keygen) 11 | # Solution 12 | The file is x64 stripped linux binary
13 | Running it gave me this
14 | 15 | ```sh 16 | $ ./ezez_keygen 17 | usage: ./easy_keygen username serial 18 | $ ./ezez_keygen plapla plapla 19 | unrecognized user 20 | $ 21 | ``` 22 | 23 | The main function looks like this
24 | 25 | ![untitled](https://github.com/Revers3c-Team/CTF-writeups/raw/master/CyberTalents/Competitions/MIU%20CTF%20Competition/ezez%20keygen/img1.PNG) 26 | 27 | Which does this
28 | 1) Make sure the number of arguments is at least 2
29 | 2) Two checks; The first argument is `4dminUser31337` and `sub_4008B9(argv[1],argv[2])` returns 1
30 | 3) If passed them it will print the flag to be `argv[2]` 31 | 32 | So we now know that the username should be `4dminUser31337` and the serial should be the flag
33 | Our target now is to make `sub_4008B9(username,serial)` return 1; decompiling it ...
34 | 35 | ```c++ 36 | signed __int64 __fastcall sub_4008B9(const char *a1, const char *a2) 37 | { 38 | signed __int64 result; // rax 39 | char *v3; // rax 40 | size_t v4; // [rsp+10h] [rbp-10h] 41 | size_t v5; // [rsp+18h] [rbp-8h] 42 | 43 | v4 = strlen(a1); 44 | v5 = strlen(a2); 45 | if ( v4 > 0x1E || v5 > 0x64 ) 46 | return 0xFFFFFFFFLL; 47 | if ( ((0xAAAAAAAAAAAAAAABLL * v5 >> 64) >> 1) + v5 - 3 * ((0xAAAAAAAAAAAAAAABLL * v5 >> 64) >> 1) != v4 ) 48 | return 0xFFFFFFFFLL; 49 | v3 = sub_400746(a2); 50 | if ( !strcmp(v3, a1) ) 51 | result = 1LL; 52 | else 53 | result = 0xFFFFFFFFLL; 54 | return result; 55 | } 56 | ``` 57 | 58 | Which does this
59 | 1) Make two checks on lengths of username and serial
60 | 2) If `sub_400746(serial)` equals `4dminUser31337` it will return 1
61 | 62 | Because we know the length of the username, we can brute for the length of the serial
63 | 64 | ```python 65 | >>> v4 = len('4dminUser31337') 66 | >>> for i in range(0x64): 67 | ... if ((0xAAAAAAAAAAAAAAAB * i >> 64) >> 1) + i - 3 * ((0xAAAAAAAAAAAAAAAB * i >> 64) >> 1) == v4: print(i) 68 | ... 69 | 38 70 | 40 71 | 42 72 | >>> 73 | ``` 74 | 75 | Now our target is to make `sub_400746(serial)` return `4dminUser31337`
76 | I also decompiled it to be
77 | 78 | ```c++ 79 | char *__fastcall sub_400746(const char *a1) 80 | { 81 | char v2; // [rsp+14h] [rbp-5Ch] 82 | int i; // [rsp+18h] [rbp-58h] 83 | char nptr[2]; // [rsp+20h] [rbp-50h] 84 | char v5; // [rsp+22h] [rbp-4Eh] 85 | char v6[8]; // [rsp+30h] [rbp-40h] 86 | __int64 v7; // [rsp+38h] [rbp-38h] 87 | __int64 v8; // [rsp+40h] [rbp-30h] 88 | __int64 v9; // [rsp+48h] [rbp-28h] 89 | unsigned __int64 v10; // [rsp+58h] [rbp-18h] 90 | 91 | v10 = __readfsqword(0x28u); 92 | *v6 = 0LL; 93 | v7 = 0LL; 94 | v8 = 0LL; 95 | v9 = 0LL; 96 | *nptr = 0; 97 | v5 = 0; 98 | for ( i = 0; i < strlen(a1); i += 3 ) 99 | { 100 | if ( a1[i + 2] != 45 && a1[i + 2] != 43 ) 101 | { 102 | puts("Invalid serial format!"); 103 | exit(-1); 104 | } 105 | v2 = 0; 106 | if ( a1[i + 2] == 43 ) 107 | v2 = 1; 108 | nptr[0] = a1[i]; 109 | nptr[1] = a1[i + 1]; 110 | v5 = 0; 111 | v6[i / 3] = 2 * strtol(nptr, 0LL, 16) + v2; 112 | } 113 | return strdup(v6); 114 | } 115 | ``` 116 | 117 | Which does this
118 | 1) Loop through the serial at chunks with length 3 for each one
119 | 2) At every chunk it does this
120 | a) Make sure the third char is `+` or `-`
121 | b) `v2` will be 0 when the third char is `-` and 1 if it's `+`
122 | c) Puts the first and the second char at the two-char-chunk `nptr`
123 | d) Decode `nptr` as hex (`strtol(nptr,0,16)` in c looks like `int(nptr,16)` in python), multiply it by 2 and add the result to `v2`
124 | c) The result will be appended to `v6` that will returned after that
125 | 126 | For this we know that the output should be `4dminUser31337`
127 | So this is how I solved it
128 | 1) Loop through chars of `4dminUser31337`
129 | 2) At every char check if the ascii code is odd, if so, decrease it by 1
130 | 3) Divide the result by 2 and get its hex value
131 | 4) Append `-` if we decreased it and `+` if not
132 | 133 | ```python 134 | >>> ret = "" 135 | >>> for i in list('4dminUser31337'): 136 | ... ch = ord(i) 137 | ... if ch % 2 == 0: 138 | ... kind = "-" 139 | ... else: 140 | ... kind = "+" 141 | ... ch = ch - 1 142 | ... ch = ch / 2 143 | ... ret += hex(ch)[2:]+kind 144 | ... 145 | >>> print("flag{%s}" % ret) 146 | flag{1a-32-36+34+37-2a+39+32+39-19+18+19+19+1b+} 147 | >>> 148 | ``` 149 | 150 | And because upper-case hex is just decoded like lower-case hex we have this
151 | 152 | ```sh 153 | # ./ezez_keygen 4dminUser31337 1a-32-36+34+37-2a+39+32+39-19+18+19+19+1b+ 154 | flag is: flag{1a-32-36+34+37-2a+39+32+39-19+18+19+19+1b+} 155 | # ./ezez_keygen 4dminUser31337 1A-32-36+34+37-2A+39+32+39-19+18+19+19+1B+ 156 | flag is: flag{1A-32-36+34+37-2A+39+32+39-19+18+19+19+1B+} 157 | # 158 | ``` 159 | 160 | So the flag may be upper or lower case (I didn't have the chance to submit it) 161 | 162 | # Flag 163 | flag{1A-32-36+34+37-2A+39+32+39-19+18+19+19+1B+} 164 | -------------------------------------------------------------------------------- /CyberTalents/Competitions/MIU CTF Competition/ezez keygen/ezez_keygen: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Revers3c-Team/CTF-writeups/95c1344a3f62d767b11152c0fcda1929f5af48c6/CyberTalents/Competitions/MIU CTF Competition/ezez keygen/ezez_keygen -------------------------------------------------------------------------------- /CyberTalents/Competitions/MIU CTF Competition/ezez keygen/img1.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Revers3c-Team/CTF-writeups/95c1344a3f62d767b11152c0fcda1929f5af48c6/CyberTalents/Competitions/MIU CTF Competition/ezez keygen/img1.PNG -------------------------------------------------------------------------------- /CyberTalents/Competitions/Menoufia University CTF Competition/Bruteforce Me/README.md: -------------------------------------------------------------------------------- 1 | # Link 2 | Already solved at [Al-Azhar University Cybersecurity CTF Competition](https://github.com/Revers3c-Team/CTF-writeups/tree/master/CyberTalents/Competitions/Al-Azhar%20University%20Cybersecurity%20CTF%20Competition/Bruteforce%20Me) 3 | -------------------------------------------------------------------------------- /CyberTalents/Competitions/Menoufia University CTF Competition/They are many/README.md: -------------------------------------------------------------------------------- 1 | # Category 2 | Malware Reverse Engineering 3 | # Level 4 | Medium 5 | # Points 6 | 100 7 | # Description 8 | `We need some scripts to help us, can you do it ? format flag{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}` 9 | # File 10 | [They-are-many](https://github.com/Revers3c-Team/CTF-writeups/raw/master/CyberTalents/Competitions/Menoufia%20University%20CTF%20Competition/They%20are%20many/They-are-many) 11 | # Solution 12 | The file x86 linux binary, with a simple main function
13 | 14 | ![untitled](https://github.com/Revers3c-Team/CTF-writeups/raw/master/CyberTalents/Competitions/Menoufia%20University%20CTF%20Competition/They%20are%20many/img1.PNG) 15 | 16 | And a quite huge number of non-called functions
17 | 18 | ![untitled](https://github.com/Revers3c-Team/CTF-writeups/raw/master/CyberTalents/Competitions/Menoufia%20University%20CTF%20Competition/They%20are%20many/img2.PNG) 19 | 20 | For every function we have a similar code
21 | 22 | ```c++ 23 | nt zjwtckvcplspzceiztil() 24 | { 25 | size_t v0; // ebx 26 | int v2; // [esp+1Ch] [ebp-3Ch] 27 | int v3; // [esp+20h] [ebp-38h] 28 | int v4; // [esp+24h] [ebp-34h] 29 | int v5; // [esp+28h] [ebp-30h] 30 | char s[4]; // [esp+2Ch] [ebp-2Ch] 31 | int v7; // [esp+30h] [ebp-28h] 32 | int v8; // [esp+34h] [ebp-24h] 33 | int v9; // [esp+38h] [ebp-20h] 34 | int v10; // [esp+3Ch] [ebp-1Ch] 35 | int v11; // [esp+40h] [ebp-18h] 36 | int v12; // [esp+44h] [ebp-14h] 37 | int v13; // [esp+48h] [ebp-10h] 38 | int i; // [esp+4Ch] [ebp-Ch] 39 | 40 | *s = -737951595; 41 | v7 = -602679916; 42 | v8 = -803815276; 43 | v9 = -904279934; 44 | v10 = -1039282299; 45 | v11 = -804859518; 46 | v12 = -1022310248; 47 | v13 = 1236127; 48 | v2 = 243; 49 | v3 = 186; 50 | v4 = 117; 51 | v5 = 165; 52 | for ( i = 0; ; ++i ) 53 | { 54 | v0 = i; 55 | if ( v0 >= strlen(s) ) 56 | break; 57 | s[i] ^= *(&v2 + 4 * (i % 4)); 58 | } 59 | return printf("%s", s); 60 | } 61 | ``` 62 | 63 | So we need to execute all of these functions individually
64 | And because the only function called from `main` is (dynamically linked) `puts` we can use gdb to change its address to the address of any other function to execute it
65 | From IDA I got that will be assigned to `puts` which is `0x8084010`
66 | Also to list all functions with its addresses I used `nm -C --defined-only They-are-many`
67 | And to change the addresses I used `gdb -q ./They-are-many -ex start -ex 'set *0x8084010 =
' -ex continue -ex quit`
68 | So I made this script 69 | 70 | ```python 71 | >>> import subprocess 72 | >>> addresses = subprocess.Popen(['nm' ,"-C" ,"--defined-only", "They-are-many"], stdout=subprocess.PIPE).communicate()[0] 73 | >>> for address in addresses.splitlines(): 74 | ... if ' T ' in address: 75 | ... address_n = '0x' + address.split(' T ')[0] 76 | ... address_s = address.split(' T ')[1] 77 | ... if len(address_s) != 20: continue 78 | ... print("Executing %s ..." % address_s) 79 | ... out = subprocess.Popen(['gdb' ,"-q" ,"./They-are-many" ,"-ex" ,"start" ,"-ex" ,"set *0x8084010 = %s" % address_n ,"-ex" ,"continue" ,"-ex" ,"quit"], stdout=subprocess.PIPE).communicate()[0] 80 | ... if 'flag' in out: 81 | ... print('flag{%s}' % out.split("{")[1].split("}")[0]) 82 | ... break 83 | ... 84 | Executing aaibprtesbuqmniuymta ... 85 | Executing aaqbwemuqxupmcssyqcd ... 86 | Executing abhtwqbgkarwxmacqarf ... 87 | Executing abqvzfoxxdqdhmgfkwmn ... 88 | Executing acxzoudorrydauedwlri ... 89 | Executing aekjmvsmtvdghymasgew ... 90 | Executing aemjzkcqeyydidijeqjp ... 91 | Executing aepidrmoyubzsfbljgfu ... 92 | Executing aertfkzadhfppcrvyfeu ... 93 | Executing afkgfdzkpywulbunahqg ... 94 | Executing afokhuzjcdprqjjyzusg ... 95 | Executing afqnbfgqcxpuuyjzauly ... 96 | Executing aftepyyiyvkymgtbbjxw ... 97 | Executing agiirnwmbghszrhufxdp ... 98 | Executing agkfkhnwfsduseucuebq ... 99 | Executing aigjtafwrnhsrpgnvmqz ... 100 | Executing aigponinibmpyhbnhnkn ... 101 | .... 102 | .... 103 | Executing nevhrehlallqpkkbfezq ... 104 | Executing newucmpxxtguhkjcmelk ... 105 | Executing nfkrynltgiwafnmazybe ... 106 | Executing nfwkxnszpmjdzligchnd ... 107 | Executing ngvlkhsxuzwuqxcdovzs ... 108 | Executing ngybenipskvmegfntcor ... 109 | Executing nhihpofhqmosedxfmyqd ... 110 | Executing nhrycgyjkfkzjkkcjggo ... 111 | flag{@ut0m@t10n_1s_y0ur_fr1end} 112 | >>> 113 | ``` 114 | 115 | # Flag 116 | flag{@ut0m@t10n_1s_y0ur_fr1end} 117 | -------------------------------------------------------------------------------- /CyberTalents/Competitions/Menoufia University CTF Competition/They are many/They-are-many: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Revers3c-Team/CTF-writeups/95c1344a3f62d767b11152c0fcda1929f5af48c6/CyberTalents/Competitions/Menoufia University CTF Competition/They are many/They-are-many -------------------------------------------------------------------------------- /CyberTalents/Competitions/Menoufia University CTF Competition/They are many/img1.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Revers3c-Team/CTF-writeups/95c1344a3f62d767b11152c0fcda1929f5af48c6/CyberTalents/Competitions/Menoufia University CTF Competition/They are many/img1.PNG -------------------------------------------------------------------------------- /CyberTalents/Competitions/Menoufia University CTF Competition/They are many/img2.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Revers3c-Team/CTF-writeups/95c1344a3f62d767b11152c0fcda1929f5af48c6/CyberTalents/Competitions/Menoufia University CTF Competition/They are many/img2.PNG -------------------------------------------------------------------------------- /CyberTalents/Competitions/Menoufia University CTF Competition/ezez keygen/README.md: -------------------------------------------------------------------------------- 1 | # Link 2 | Already solved at [MIU CTF Competition](https://github.com/Revers3c-Team/CTF-writeups/tree/master/CyberTalents/Competitions/MIU%20CTF%20Competition/ezez%20keygen) 3 | -------------------------------------------------------------------------------- /CyberTalents/Competitions/Women in Cybersecurity CTF/Mobile App/README.md: -------------------------------------------------------------------------------- 1 | # Link 2 | Already solved at [CyberTeam Company Internship CTF](https://github.com/Revers3c-Team/CTF-writeups/tree/master/CyberTalents/Competitions/CyberTeam%20Company%20Internship%20CTF/Mobile%20App) 3 | -------------------------------------------------------------------------------- /CyberTalents/Competitions/Women in Cybersecurity CTF/Say my Name/README.md: -------------------------------------------------------------------------------- 1 | # Link 2 | Already solved at [CyberTeam Company Internship CTF](https://github.com/Revers3c-Team/CTF-writeups/tree/master/CyberTalents/Competitions/CyberTeam%20Company%20Internship%20CTF/Say%20my%20Name) 3 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CTF-writeups 2 | Revers3c-Team CTF writeups 3 | -------------------------------------------------------------------------------- /ctf.squnity.com/Ransomware/Arithmetic.py: -------------------------------------------------------------------------------- 1 | ''' 2 | Created on Dec 22, 2011 3 | 4 | @author: pablocelayes 5 | ''' 6 | 7 | def egcd(a,b): 8 | ''' 9 | Extended Euclidean Algorithm 10 | returns x, y, gcd(a,b) such that ax + by = gcd(a,b) 11 | ''' 12 | u, u1 = 1, 0 13 | v, v1 = 0, 1 14 | while b: 15 | q = a // b 16 | u, u1 = u1, u - q * u1 17 | v, v1 = v1, v - q * v1 18 | a, b = b, a - q * b 19 | return u, v, a 20 | 21 | def gcd(a,b): 22 | ''' 23 | 2.8 times faster than egcd(a,b)[2] 24 | ''' 25 | a,b=(b,a) if a= 0 49 | n = 0 50 | while x > 0: 51 | n = n+1 52 | x = x>>1 53 | return n 54 | 55 | 56 | def isqrt(n): 57 | ''' 58 | Calculates the integer square root 59 | for arbitrary large nonnegative integers 60 | ''' 61 | if n < 0: 62 | raise ValueError('square root not defined for negative numbers') 63 | 64 | if n == 0: 65 | return 0 66 | a, b = divmod(bitlength(n), 2) 67 | x = 2**(a+b) 68 | while True: 69 | y = (x + n//x)//2 70 | if y >= x: 71 | return x 72 | x = y 73 | 74 | 75 | def is_perfect_square(n): 76 | ''' 77 | If n is a perfect square it returns sqrt(n), 78 | 79 | otherwise returns -1 80 | ''' 81 | h = n & 0xF; #last hexadecimal "digit" 82 | 83 | if h > 9: 84 | return -1 # return immediately in 6 cases out of 16. 85 | 86 | # Take advantage of Boolean short-circuit evaluation 87 | if ( h != 2 and h != 3 and h != 5 and h != 6 and h != 7 and h != 8 ): 88 | # take square root if you must 89 | t = isqrt(n) 90 | if t*t == n: 91 | return t 92 | else: 93 | return -1 94 | 95 | return -1 96 | 97 | #TEST functions 98 | 99 | def test_is_perfect_square(): 100 | print("Testing is_perfect_square") 101 | testsuit = [4, 0, 15, 25, 18, 901, 1000, 1024] 102 | 103 | for n in testsuit: 104 | print("Is ", n, " a perfect square?") 105 | if is_perfect_square(n)!= -1: 106 | print("Yes!") 107 | else: 108 | print("Nope") 109 | 110 | if __name__ == "__main__": 111 | test_is_perfect_square() -------------------------------------------------------------------------------- /ctf.squnity.com/Ransomware/ContinuedFractions.py: -------------------------------------------------------------------------------- 1 | ''' 2 | Created on Dec 14, 2011 3 | 4 | @author: pablocelayes 5 | 6 | ''' 7 | 8 | def rational_to_contfrac(x,y): 9 | ''' 10 | Converts a rational x/y fraction into 11 | a list of partial quotients [a0, ..., an] 12 | ''' 13 | a = x//y 14 | pquotients = [a] 15 | while a * y != x: 16 | x,y = y,x-a*y 17 | a = x//y 18 | pquotients.append(a) 19 | return pquotients 20 | 21 | #TODO: efficient method that calculates convergents on-the-go, without doing partial quotients first 22 | def convergents_from_contfrac(frac): 23 | ''' 24 | computes the list of convergents 25 | using the list of partial quotients 26 | ''' 27 | convs = []; 28 | for i in range(len(frac)): 29 | convs.append(contfrac_to_rational(frac[0:i])) 30 | return convs 31 | 32 | def contfrac_to_rational (frac): 33 | '''Converts a finite continued fraction [a0, ..., an] 34 | to an x/y rational. 35 | ''' 36 | if len(frac) == 0: 37 | return (0,1) 38 | num = frac[-1] 39 | denom = 1 40 | for _ in range(-2,-len(frac)-1,-1): 41 | num, denom = frac[_]*num+denom, num 42 | return (num,denom) 43 | 44 | def test1(): 45 | ''' 46 | Verify that the basic continued-fraction manipulation stuff works. 47 | ''' 48 | testnums = [(1, 1), (1, 2), (5, 15), (27, 73), (73, 27)] 49 | for r in testnums: 50 | (num, denom) = r 51 | print('rational number:') 52 | print(r) 53 | 54 | contfrac = rational_to_contfrac (num, denom) 55 | print('continued fraction:') 56 | print(contfrac) 57 | 58 | print('convergents:') 59 | print(convergents_from_contfrac(contfrac)) 60 | print('***********************************') 61 | 62 | if __name__ == "__main__": 63 | test1() 64 | -------------------------------------------------------------------------------- /ctf.squnity.com/Ransomware/README.md: -------------------------------------------------------------------------------- 1 | First calaculate `left` using wiener rsa attack (d < (1/3) * n ^ (1/4)) 2 | 3 | ```python 4 | n = 338630205260455689413627911306068443537112802550361922213620660503310212139001530156458392949653034244789612680980241965923780722889133495349537107789761426092510299239678696031652780059016898519278860185536978111680123402473365833456785718098200501968322228116681190425490850863660038143310790555506293106653050174262471649179173093656763946257235681980586392230447218179278964626176124426615857733950102117938674282636936094069075258237416065546593509302494726576026227551920883962084579635168761189995794814926094510046419165007371450799003658587100556051088147493947712592469412133312536422828670173807709914587 # array[1] 5 | e = 318540665379393469901456665807211509077755719995811520039095212139429238053864597311950397094944291616119321660193803737677538864969915331331528398734504661147661499115125056479426948683504604460936703005724827506058051215012025774714463561829608252938657297504427643593752676857551877096958959488289759878259498255905255543409142370769036479607835226542428818361327569095305960454592450213005148130508649794732855515489990191085723757628463901282599712670814223322126866814011761400443596552984309315434653984387419451894484613987942298157348306834118923950284809853541881602043240244910348705406353947587203832407 # array[0] 6 | ``` 7 | Use the script RSAwienerHacker.py 8 | 9 | ```python 10 | from RSAwienerHacker import hack_RSA 11 | ``` 12 | get the private key 13 | 14 | ```python 15 | d = hack_RSA(e,n) 16 | ``` 17 | Now we need to know the cipher to get the message (left) 18 | The cipher is stored in a file with random 5-chars name 19 | 20 | ![untitled](https://user-images.githubusercontent.com/46635361/51080501-8f5bf100-16e5-11e9-91fd-f2b532d2323a.png) 21 | 22 | from temp.zip the cipher will be one of four 23 | 24 | ```python 25 | c1 = 22904516087410958599400745295134407957538293849620479588699156943757304837190206382665810336482084781716773849605028263476508455731215761790645667054362539296225823398110243417691472133198440314276331355755866132461321596985526430056988927899479114899053294447700802697849092611264153732845034596143304147296894154594063406502535214999610175577413770003406849756759705571117279825037289641308088310214682418211107156983914990633688947345705294168540142293966230901741901843148151129118233782533371418208975094857361573218946344850619389994324095906207074062159093524286977819801023613457060607798022036303553020476 26 | c2 = 254866065682021130439724704937184867571988898126920600312144202556337159335488307552034191341001334289495652540971128980722467151376324890145316009877658096246806325051196567044529609683599402485189329892395240384493083054505826600987614336430723213785881831176358478144388474300760084710212411934668239335533485693356382028168837946529365830131133223783968340244661008902365028927933626741730260578060987088277049516429347277957426341268861086257310107687596399904515666210206566515570142933731910160014673044494207393056295622419635061856638050287849658586267948950746076818312815168906437623990438374273215445550 27 | c3 = 66986751702365023425546040811128085934255056222119634201596568962332666689417320304556447002675790986062966970352224594017211232884838178400589946497973469386294416000497968628420724798644253862335331326153504090767110404624684514870325486016592746662855557252592289165913143349801457748311698744736970450983876700104464797966354724061731369270046556016466415901905977429873127066683204343775880967437298869416520779738130821986475609249688136411106965188206590276353646797059304993638685907655812064741087007301962280880350682446416137921607796756476047717004303175907859332970054988289924695017467271667259367926 28 | c4 = 59531950184882790356049596177169766243633485536127278113266454795985447480064539570462585630170415944367132840495806507836267093480678625545936817591854937033439937039828087075778881014953402678052943665968820811578551326692619551669234592698172896800413452669731627601552791837958452516251544653002721298308568913960606365275598616860812772279769873624613991630172996111045159009970449751316389066161574929704254356919957637115206987479209947250327261534001037332567509365955927492251220447277753564340324632065639087041582476532705138114620897878816737352411618205723180638342309329139458240894218141301303853211 29 | ``` 30 | so we calcualte the message for every one 31 | 32 | ```python 33 | m1 = pow(c1,d,n) 34 | m2 = pow(c2,d,n) 35 | m3 = pow(c3,d,n) 36 | m4 = pow(c4,d,n) 37 | ``` 38 | 39 | And because we want the plain text from it 40 | 41 | ```python 42 | m1 = hex(m1).replace("0x",'').replace("L",'').decode('hex') 43 | m2 = hex(m2).replace("0x",'').replace("L",'').decode('hex') 44 | m3 = hex(m3).replace("0x",'').replace("L",'').decode('hex') 45 | m4 = hex(m4).replace("0x",'').replace("L",'').decode('hex') 46 | 47 | print("left = \"{}\" or \"{}\" or \"{}\" or \"{}\"".format(m1,m2,m3,m4)) 48 | # left = "3599427841201158309" or "2281123928613928259" or "1613383286900676679" or "2413992114436498344" 49 | print("Now use them one by one on the ransomeware after patching it") 50 | ``` 51 | 52 | The last step here is to patch the binary and try the four values we got .. the right value was 2281123928613928259 so we will end up with something like this. 53 | 54 | ```C# 55 | private static void Main(string[] args) 56 | { 57 | string flag = cryptography.Aes(Convert.FromBase64String(File.ReadAllText(".\\dsafgasf.txt")), "2281123928613928259", "ABCDEFGHIJ12", false, true); 58 | Console.WriteLine("Flag : " + flag); 59 | } 60 | ``` 61 | 62 | ![untitled](https://user-images.githubusercontent.com/46635361/51080747-eb287900-16e9-11e9-90a2-967abc8c6088.png) 63 | 64 | 65 | -------------------------------------------------------------------------------- /ctf.squnity.com/Ransomware/RSAwienerHacker.py: -------------------------------------------------------------------------------- 1 | ''' 2 | Created on Dec 14, 2011 3 | 4 | @author: pablocelayes 5 | ''' 6 | 7 | import ContinuedFractions, Arithmetic 8 | 9 | def hack_RSA(e,n): 10 | ''' 11 | Finds d knowing (e,n) 12 | applying the Wiener continued fraction attack 13 | ''' 14 | frac = ContinuedFractions.rational_to_contfrac(e, n) 15 | convergents = ContinuedFractions.convergents_from_contfrac(frac) 16 | 17 | for (k,d) in convergents: 18 | 19 | #check if d is actually the key 20 | if k!=0 and (e*d-1)%k == 0: 21 | phi = (e*d-1)//k 22 | s = n - phi + 1 23 | # check if the equation x^2 - s*x + n = 0 24 | # has integer roots 25 | discr = s*s - 4*n 26 | if(discr>=0): 27 | t = Arithmetic.is_perfect_square(discr) 28 | if t!=-1 and (s+t)%2==0: 29 | print("Hacked!") 30 | return d 31 | 32 | 33 | 34 | 35 | 36 | 37 | -------------------------------------------------------------------------------- /ctf.squnity.com/Ransomware/Ransomware.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Revers3c-Team/CTF-writeups/95c1344a3f62d767b11152c0fcda1929f5af48c6/ctf.squnity.com/Ransomware/Ransomware.exe -------------------------------------------------------------------------------- /ctf.squnity.com/Ransomware/Temp/TBOHI.tmp: -------------------------------------------------------------------------------- 1 | 22904516087410958599400745295134407957538293849620479588699156943757304837190206382665810336482084781716773849605028263476508455731215761790645667054362539296225823398110243417691472133198440314276331355755866132461321596985526430056988927899479114899053294447700802697849092611264153732845034596143304147296894154594063406502535214999610175577413770003406849756759705571117279825037289641308088310214682418211107156983914990633688947345705294168540142293966230901741901843148151129118233782533371418208975094857361573218946344850619389994324095906207074062159093524286977819801023613457060607798022036303553020476 -------------------------------------------------------------------------------- /ctf.squnity.com/Ransomware/Temp/TFX50.tmp: -------------------------------------------------------------------------------- 1 | 254866065682021130439724704937184867571988898126920600312144202556337159335488307552034191341001334289495652540971128980722467151376324890145316009877658096246806325051196567044529609683599402485189329892395240384493083054505826600987614336430723213785881831176358478144388474300760084710212411934668239335533485693356382028168837946529365830131133223783968340244661008902365028927933626741730260578060987088277049516429347277957426341268861086257310107687596399904515666210206566515570142933731910160014673044494207393056295622419635061856638050287849658586267948950746076818312815168906437623990438374273215445550 -------------------------------------------------------------------------------- /ctf.squnity.com/Ransomware/Temp/VH5JA.tmp: -------------------------------------------------------------------------------- 1 | 66986751702365023425546040811128085934255056222119634201596568962332666689417320304556447002675790986062966970352224594017211232884838178400589946497973469386294416000497968628420724798644253862335331326153504090767110404624684514870325486016592746662855557252592289165913143349801457748311698744736970450983876700104464797966354724061731369270046556016466415901905977429873127066683204343775880967437298869416520779738130821986475609249688136411106965188206590276353646797059304993638685907655812064741087007301962280880350682446416137921607796756476047717004303175907859332970054988289924695017467271667259367926 -------------------------------------------------------------------------------- /ctf.squnity.com/Ransomware/Temp/ZNDKC.tmp: -------------------------------------------------------------------------------- 1 | 59531950184882790356049596177169766243633485536127278113266454795985447480064539570462585630170415944367132840495806507836267093480678625545936817591854937033439937039828087075778881014953402678052943665968820811578551326692619551669234592698172896800413452669731627601552791837958452516251544653002721298308568913960606365275598616860812772279769873624613991630172996111045159009970449751316389066161574929704254356919957637115206987479209947250327261534001037332567509365955927492251220447277753564340324632065639087041582476532705138114620897878816737352411618205723180638342309329139458240894218141301303853211 -------------------------------------------------------------------------------- /ctf.squnity.com/Ransomware/WriteUp.py: -------------------------------------------------------------------------------- 1 | # Run with python2 2 | # First calaculate `left` using wiener rsa attack (d < (1/3) * n ^ (1/4)) 3 | n = 338630205260455689413627911306068443537112802550361922213620660503310212139001530156458392949653034244789612680980241965923780722889133495349537107789761426092510299239678696031652780059016898519278860185536978111680123402473365833456785718098200501968322228116681190425490850863660038143310790555506293106653050174262471649179173093656763946257235681980586392230447218179278964626176124426615857733950102117938674282636936094069075258237416065546593509302494726576026227551920883962084579635168761189995794814926094510046419165007371450799003658587100556051088147493947712592469412133312536422828670173807709914587 # array[1] 4 | e = 318540665379393469901456665807211509077755719995811520039095212139429238053864597311950397094944291616119321660193803737677538864969915331331528398734504661147661499115125056479426948683504604460936703005724827506058051215012025774714463561829608252938657297504427643593752676857551877096958959488289759878259498255905255543409142370769036479607835226542428818361327569095305960454592450213005148130508649794732855515489990191085723757628463901282599712670814223322126866814011761400443596552984309315434653984387419451894484613987942298157348306834118923950284809853541881602043240244910348705406353947587203832407 # array[0] 5 | 6 | # Use the script RSAwienerHacker.py 7 | from RSAwienerHacker import hack_RSA 8 | # get the private key 9 | d = hack_RSA(e,n) 10 | # Now we need to know the cipher to get the message (left) 11 | # The cipher is stored in a file with random 5-chars name 12 | # from temp.zip the cipher will be one of four 13 | c1 = 22904516087410958599400745295134407957538293849620479588699156943757304837190206382665810336482084781716773849605028263476508455731215761790645667054362539296225823398110243417691472133198440314276331355755866132461321596985526430056988927899479114899053294447700802697849092611264153732845034596143304147296894154594063406502535214999610175577413770003406849756759705571117279825037289641308088310214682418211107156983914990633688947345705294168540142293966230901741901843148151129118233782533371418208975094857361573218946344850619389994324095906207074062159093524286977819801023613457060607798022036303553020476 14 | c2 = 254866065682021130439724704937184867571988898126920600312144202556337159335488307552034191341001334289495652540971128980722467151376324890145316009877658096246806325051196567044529609683599402485189329892395240384493083054505826600987614336430723213785881831176358478144388474300760084710212411934668239335533485693356382028168837946529365830131133223783968340244661008902365028927933626741730260578060987088277049516429347277957426341268861086257310107687596399904515666210206566515570142933731910160014673044494207393056295622419635061856638050287849658586267948950746076818312815168906437623990438374273215445550 15 | c3 = 66986751702365023425546040811128085934255056222119634201596568962332666689417320304556447002675790986062966970352224594017211232884838178400589946497973469386294416000497968628420724798644253862335331326153504090767110404624684514870325486016592746662855557252592289165913143349801457748311698744736970450983876700104464797966354724061731369270046556016466415901905977429873127066683204343775880967437298869416520779738130821986475609249688136411106965188206590276353646797059304993638685907655812064741087007301962280880350682446416137921607796756476047717004303175907859332970054988289924695017467271667259367926 16 | c4 = 59531950184882790356049596177169766243633485536127278113266454795985447480064539570462585630170415944367132840495806507836267093480678625545936817591854937033439937039828087075778881014953402678052943665968820811578551326692619551669234592698172896800413452669731627601552791837958452516251544653002721298308568913960606365275598616860812772279769873624613991630172996111045159009970449751316389066161574929704254356919957637115206987479209947250327261534001037332567509365955927492251220447277753564340324632065639087041582476532705138114620897878816737352411618205723180638342309329139458240894218141301303853211 17 | 18 | # so we calcualte the message for every one 19 | m1 = pow(c1,d,n) 20 | m2 = pow(c2,d,n) 21 | m3 = pow(c3,d,n) 22 | m4 = pow(c4,d,n) 23 | 24 | # And because we want the plain text from it 25 | m1 = hex(m1).replace("0x",'').replace("L",'').decode('hex') 26 | m2 = hex(m2).replace("0x",'').replace("L",'').decode('hex') 27 | m3 = hex(m3).replace("0x",'').replace("L",'').decode('hex') 28 | m4 = hex(m4).replace("0x",'').replace("L",'').decode('hex') 29 | 30 | print("left = \"{}\" or \"{}\" or \"{}\" or \"{}\"".format(m1,m2,m3,m4)) 31 | print("Now use them one by one on the ransomeware after patching it") 32 | 33 | # We patch the binary to decrypt the file 34 | # so the main method looks like this 35 | """ 36 | private static void Main(string[] args) 37 | { 38 | string contents = cryptography.Aes(Convert.FromBase64String(File.ReadAllText(".\\dsafgasf.txt")), "", "ABCDEFGHIJ12", false, true); 39 | File.WriteAllText(".\\sdagfsad.txt", contents); 40 | File.Delete(".\\dsafgasf.txt"); 41 | } 42 | """ 43 | # The right value for `left` is 2281123928613928259 44 | # Now run the patched binary and the flag will be at sdagfsad.txt 45 | # flag--->Bsides{IT's_Trivial_Ransomware} 46 | -------------------------------------------------------------------------------- /ctf.squnity.com/Ransomware/dsafgasf.txt: -------------------------------------------------------------------------------- 1 | +Dd+d+7e+mKNeR9fJy5smW3qj8oojQwwH1Wjs3o3aMI= -------------------------------------------------------------------------------- /ctf.squnity.com/mal_family/README.md: -------------------------------------------------------------------------------- 1 | We were given two binaries with zero imports, a pretty common obfuscation technique used by real-life malwares 2 | 3 | ![ss](https://user-images.githubusercontent.com/46635361/51080312-c6300800-16e1-11e9-8e79-6ab54bce4d9a.png) 4 | 5 | upload Mal_1.exe to [hybrid-analysis.com](hybrid-analysis.com/sample/42512f779a32d5e677e534ad87524e886a80572c2de4e47ed993e264735b31ba) 6 | 7 | there are 4 Extraced files one of them named config.vbe which is a [vbs compailed script](https://fileinfo.com/extension/vbe) 8 | 9 | ![extracted_files](https://user-images.githubusercontent.com/46635361/51080022-7b5fc180-16dc-11e9-8ad6-3d643b5cb37c.png) 10 | 11 | and the malware will delete itself at some point using powershell 12 | 13 | ![untitled](https://user-images.githubusercontent.com/46635361/51080134-b662f480-16de-11e9-9e01-566b8f14c003.png) 14 | 15 | now let's get the extracted files ourselves .. open up your win7 debugging vm and just use any file monitor tool i used Moo0, then run the binary. 16 | 17 | ![s](https://user-images.githubusercontent.com/46635361/51080067-a1399600-16dd-11e9-9c09-9644c2c71c43.png) 18 | 19 | locate and decode config.vbe using decode-vbe.py 20 | 21 | ![decode_vbe](https://user-images.githubusercontent.com/46635361/51080078-ce864400-16dd-11e9-8f34-3c3998fcaf19.png) 22 | 23 | the same vbs script can be found within hybrid-analysis report too. 24 | 25 | ![untitled](https://user-images.githubusercontent.com/46635361/51080092-291fa000-16de-11e9-8e9e-10e53d0fe102.png) 26 | 27 | -------------------------------------------------------------------------------- /ctf.squnity.com/mal_family/config.vbe: -------------------------------------------------------------------------------- 1 | #@~^3wAAAA==jY~K4N1+DhK.3,'~ZM+COr4NnmD`Jqd^DbwDRH+OAKDVJ*@#@&9kh~!/+.~@#@&;/.,'~K4N1+DhK.3cjd+M1Ch@#@&@#@&q6PEkn.P{PrAyF[fkJ~Y4nx@#@&~\koAGavJWVmL,)~74f{NM!a2&M*mcM&m^Z::ZUJ*@#@&sd+@#@&,Hdo$GX`;/.P3PE~ PK.z,CCD9nMPlGJ*@#@&Ax9~q65T8AAA==^#~@ -------------------------------------------------------------------------------- /ctf.squnity.com/mal_family/decode-vbe.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | __description__ = 'Decode VBE script' 4 | __author__ = 'Didier Stevens' 5 | __version__ = '0.0.1' 6 | __date__ = '2016/03/28' 7 | 8 | """ 9 | 10 | Source code put in public domain by Didier Stevens, no Copyright 11 | https://DidierStevens.com 12 | Use at your own risk 13 | 14 | History: 15 | 2016/03/28: start 16 | 17 | Todo: 18 | 19 | Reference: 20 | https://gallery.technet.microsoft.com/Encode-and-Decode-a-VB-a480d74c 21 | """ 22 | 23 | import optparse 24 | import sys 25 | import os 26 | import signal 27 | import textwrap 28 | import re 29 | 30 | def PrintManual(): 31 | manual = ''' 32 | Manual: 33 | 34 | This program reads from the given file or standard input, and converts the encoded VBE script to VBS. 35 | 36 | ''' 37 | for line in manual.split('\n'): 38 | print(textwrap.fill(line)) 39 | 40 | def File2String(filename): 41 | try: 42 | f = open(filename, 'rb') 43 | except: 44 | return None 45 | try: 46 | return f.read() 47 | except: 48 | return None 49 | finally: 50 | f.close() 51 | 52 | def FixPipe(): 53 | try: 54 | signal.signal(signal.SIGPIPE, signal.SIG_DFL) 55 | except: 56 | pass 57 | 58 | #Fix for http://bugs.python.org/issue11395 59 | def StdoutWriteChunked(data): 60 | while data != '': 61 | sys.stdout.write(data[0:10000]) 62 | sys.stdout.flush() 63 | data = data[10000:] 64 | 65 | def Decode(data): 66 | dDecode = {} 67 | dDecode[9] = '\x57\x6E\x7B' 68 | dDecode[10] = '\x4A\x4C\x41' 69 | dDecode[11] = '\x0B\x0B\x0B' 70 | dDecode[12] = '\x0C\x0C\x0C' 71 | dDecode[13] = '\x4A\x4C\x41' 72 | dDecode[14] = '\x0E\x0E\x0E' 73 | dDecode[15] = '\x0F\x0F\x0F' 74 | dDecode[16] = '\x10\x10\x10' 75 | dDecode[17] = '\x11\x11\x11' 76 | dDecode[18] = '\x12\x12\x12' 77 | dDecode[19] = '\x13\x13\x13' 78 | dDecode[20] = '\x14\x14\x14' 79 | dDecode[21] = '\x15\x15\x15' 80 | dDecode[22] = '\x16\x16\x16' 81 | dDecode[23] = '\x17\x17\x17' 82 | dDecode[24] = '\x18\x18\x18' 83 | dDecode[25] = '\x19\x19\x19' 84 | dDecode[26] = '\x1A\x1A\x1A' 85 | dDecode[27] = '\x1B\x1B\x1B' 86 | dDecode[28] = '\x1C\x1C\x1C' 87 | dDecode[29] = '\x1D\x1D\x1D' 88 | dDecode[30] = '\x1E\x1E\x1E' 89 | dDecode[31] = '\x1F\x1F\x1F' 90 | dDecode[32] = '\x2E\x2D\x32' 91 | dDecode[33] = '\x47\x75\x30' 92 | dDecode[34] = '\x7A\x52\x21' 93 | dDecode[35] = '\x56\x60\x29' 94 | dDecode[36] = '\x42\x71\x5B' 95 | dDecode[37] = '\x6A\x5E\x38' 96 | dDecode[38] = '\x2F\x49\x33' 97 | dDecode[39] = '\x26\x5C\x3D' 98 | dDecode[40] = '\x49\x62\x58' 99 | dDecode[41] = '\x41\x7D\x3A' 100 | dDecode[42] = '\x34\x29\x35' 101 | dDecode[43] = '\x32\x36\x65' 102 | dDecode[44] = '\x5B\x20\x39' 103 | dDecode[45] = '\x76\x7C\x5C' 104 | dDecode[46] = '\x72\x7A\x56' 105 | dDecode[47] = '\x43\x7F\x73' 106 | dDecode[48] = '\x38\x6B\x66' 107 | dDecode[49] = '\x39\x63\x4E' 108 | dDecode[50] = '\x70\x33\x45' 109 | dDecode[51] = '\x45\x2B\x6B' 110 | dDecode[52] = '\x68\x68\x62' 111 | dDecode[53] = '\x71\x51\x59' 112 | dDecode[54] = '\x4F\x66\x78' 113 | dDecode[55] = '\x09\x76\x5E' 114 | dDecode[56] = '\x62\x31\x7D' 115 | dDecode[57] = '\x44\x64\x4A' 116 | dDecode[58] = '\x23\x54\x6D' 117 | dDecode[59] = '\x75\x43\x71' 118 | dDecode[60] = '\x4A\x4C\x41' 119 | dDecode[61] = '\x7E\x3A\x60' 120 | dDecode[62] = '\x4A\x4C\x41' 121 | dDecode[63] = '\x5E\x7E\x53' 122 | dDecode[64] = '\x40\x4C\x40' 123 | dDecode[65] = '\x77\x45\x42' 124 | dDecode[66] = '\x4A\x2C\x27' 125 | dDecode[67] = '\x61\x2A\x48' 126 | dDecode[68] = '\x5D\x74\x72' 127 | dDecode[69] = '\x22\x27\x75' 128 | dDecode[70] = '\x4B\x37\x31' 129 | dDecode[71] = '\x6F\x44\x37' 130 | dDecode[72] = '\x4E\x79\x4D' 131 | dDecode[73] = '\x3B\x59\x52' 132 | dDecode[74] = '\x4C\x2F\x22' 133 | dDecode[75] = '\x50\x6F\x54' 134 | dDecode[76] = '\x67\x26\x6A' 135 | dDecode[77] = '\x2A\x72\x47' 136 | dDecode[78] = '\x7D\x6A\x64' 137 | dDecode[79] = '\x74\x39\x2D' 138 | dDecode[80] = '\x54\x7B\x20' 139 | dDecode[81] = '\x2B\x3F\x7F' 140 | dDecode[82] = '\x2D\x38\x2E' 141 | dDecode[83] = '\x2C\x77\x4C' 142 | dDecode[84] = '\x30\x67\x5D' 143 | dDecode[85] = '\x6E\x53\x7E' 144 | dDecode[86] = '\x6B\x47\x6C' 145 | dDecode[87] = '\x66\x34\x6F' 146 | dDecode[88] = '\x35\x78\x79' 147 | dDecode[89] = '\x25\x5D\x74' 148 | dDecode[90] = '\x21\x30\x43' 149 | dDecode[91] = '\x64\x23\x26' 150 | dDecode[92] = '\x4D\x5A\x76' 151 | dDecode[93] = '\x52\x5B\x25' 152 | dDecode[94] = '\x63\x6C\x24' 153 | dDecode[95] = '\x3F\x48\x2B' 154 | dDecode[96] = '\x7B\x55\x28' 155 | dDecode[97] = '\x78\x70\x23' 156 | dDecode[98] = '\x29\x69\x41' 157 | dDecode[99] = '\x28\x2E\x34' 158 | dDecode[100] = '\x73\x4C\x09' 159 | dDecode[101] = '\x59\x21\x2A' 160 | dDecode[102] = '\x33\x24\x44' 161 | dDecode[103] = '\x7F\x4E\x3F' 162 | dDecode[104] = '\x6D\x50\x77' 163 | dDecode[105] = '\x55\x09\x3B' 164 | dDecode[106] = '\x53\x56\x55' 165 | dDecode[107] = '\x7C\x73\x69' 166 | dDecode[108] = '\x3A\x35\x61' 167 | dDecode[109] = '\x5F\x61\x63' 168 | dDecode[110] = '\x65\x4B\x50' 169 | dDecode[111] = '\x46\x58\x67' 170 | dDecode[112] = '\x58\x3B\x51' 171 | dDecode[113] = '\x31\x57\x49' 172 | dDecode[114] = '\x69\x22\x4F' 173 | dDecode[115] = '\x6C\x6D\x46' 174 | dDecode[116] = '\x5A\x4D\x68' 175 | dDecode[117] = '\x48\x25\x7C' 176 | dDecode[118] = '\x27\x28\x36' 177 | dDecode[119] = '\x5C\x46\x70' 178 | dDecode[120] = '\x3D\x4A\x6E' 179 | dDecode[121] = '\x24\x32\x7A' 180 | dDecode[122] = '\x79\x41\x2F' 181 | dDecode[123] = '\x37\x3D\x5F' 182 | dDecode[124] = '\x60\x5F\x4B' 183 | dDecode[125] = '\x51\x4F\x5A' 184 | dDecode[126] = '\x20\x42\x2C' 185 | dDecode[127] = '\x36\x65\x57' 186 | 187 | dCombination = {} 188 | dCombination[0] = 0 189 | dCombination[1] = 1 190 | dCombination[2] = 2 191 | dCombination[3] = 0 192 | dCombination[4] = 1 193 | dCombination[5] = 2 194 | dCombination[6] = 1 195 | dCombination[7] = 2 196 | dCombination[8] = 2 197 | dCombination[9] = 1 198 | dCombination[10] = 2 199 | dCombination[11] = 1 200 | dCombination[12] = 0 201 | dCombination[13] = 2 202 | dCombination[14] = 1 203 | dCombination[15] = 2 204 | dCombination[16] = 0 205 | dCombination[17] = 2 206 | dCombination[18] = 1 207 | dCombination[19] = 2 208 | dCombination[20] = 0 209 | dCombination[21] = 0 210 | dCombination[22] = 1 211 | dCombination[23] = 2 212 | dCombination[24] = 2 213 | dCombination[25] = 1 214 | dCombination[26] = 0 215 | dCombination[27] = 2 216 | dCombination[28] = 1 217 | dCombination[29] = 2 218 | dCombination[30] = 2 219 | dCombination[31] = 1 220 | dCombination[32] = 0 221 | dCombination[33] = 0 222 | dCombination[34] = 2 223 | dCombination[35] = 1 224 | dCombination[36] = 2 225 | dCombination[37] = 1 226 | dCombination[38] = 2 227 | dCombination[39] = 0 228 | dCombination[40] = 2 229 | dCombination[41] = 0 230 | dCombination[42] = 0 231 | dCombination[43] = 1 232 | dCombination[44] = 2 233 | dCombination[45] = 0 234 | dCombination[46] = 2 235 | dCombination[47] = 1 236 | dCombination[48] = 0 237 | dCombination[49] = 2 238 | dCombination[50] = 1 239 | dCombination[51] = 2 240 | dCombination[52] = 0 241 | dCombination[53] = 0 242 | dCombination[54] = 1 243 | dCombination[55] = 2 244 | dCombination[56] = 2 245 | dCombination[57] = 0 246 | dCombination[58] = 0 247 | dCombination[59] = 1 248 | dCombination[60] = 2 249 | dCombination[61] = 0 250 | dCombination[62] = 2 251 | dCombination[63] = 1 252 | 253 | result = '' 254 | index = -1 255 | for char in data.replace('@&', chr(10)).replace('@#', chr(13)).replace('@*', '>').replace('@!', '<').replace('@$', '@'): 256 | byte = ord(char) 257 | if byte < 128: 258 | index = index + 1 259 | if (byte == 9 or byte > 31 and byte < 128) and byte != 60 and byte != 62 and byte != 64: 260 | char = [c for c in dDecode[byte]][dCombination[index % 64]] 261 | result += char 262 | 263 | return result 264 | 265 | def DecodeVBE(filename, options): 266 | FixPipe() 267 | if sys.platform == 'win32': 268 | import msvcrt 269 | msvcrt.setmode(sys.stdout.fileno(), os.O_BINARY) 270 | if filename == '': 271 | content = sys.stdin.read() 272 | else: 273 | content = File2String(filename) 274 | oMatch = re.search(r'#@~\^......==(.+)......==\^#~@', content) 275 | if oMatch == None: 276 | print('No encoded script found!') 277 | else: 278 | StdoutWriteChunked(Decode(oMatch.groups()[0])) 279 | 280 | def Main(): 281 | oParser = optparse.OptionParser(usage='usage: %prog [options] [file]\n' + __description__, version='%prog ' + __version__) 282 | oParser.add_option('-m', '--man', action='store_true', default=False, help='Print manual') 283 | (options, args) = oParser.parse_args() 284 | 285 | if options.man: 286 | oParser.print_help() 287 | PrintManual() 288 | return 289 | 290 | if len(args) > 1: 291 | oParser.print_help() 292 | print('') 293 | print(' Source code put in the public domain by Didier Stevens, no Copyright') 294 | print(' Use at your own risk') 295 | print(' https://DidierStevens.com') 296 | return 297 | elif len(args) == 0: 298 | DecodeVBE('', options) 299 | else: 300 | DecodeVBE(args[0], options) 301 | 302 | if __name__ == '__main__': 303 | Main() 304 | -------------------------------------------------------------------------------- /ctf.squnity.com/mal_family/mal_v1.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Revers3c-Team/CTF-writeups/95c1344a3f62d767b11152c0fcda1929f5af48c6/ctf.squnity.com/mal_family/mal_v1.exe -------------------------------------------------------------------------------- /ctf.squnity.com/mal_family/mal_v2.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Revers3c-Team/CTF-writeups/95c1344a3f62d767b11152c0fcda1929f5af48c6/ctf.squnity.com/mal_family/mal_v2.exe -------------------------------------------------------------------------------- /ctf.squnity.com/script/README.md: -------------------------------------------------------------------------------- 1 | Running the binary will give us this a messagebox showing hex encoded value 2 | 3 | ![picture1](https://user-images.githubusercontent.com/46635361/51079417-70526480-16cf-11e9-879a-396c57c04aca.png) 4 | 5 | using PEstudio you can find that the binary was packed using UPX 6 | 7 | ![picture2](https://user-images.githubusercontent.com/46635361/51079452-07b7b780-16d0-11e9-8dfc-ae13b9ec93ad.png) 8 | 9 | Disable ASLR & Unpack it 10 | 11 | ![picture3](https://user-images.githubusercontent.com/46635361/51079512-fc18c080-16d0-11e9-9c2b-3e1dba69c7a1.png) 12 | 13 | using x64dbg you can find that it uses [IsDebuggerPresent](https://msdn.microsoft.com/en-us/library/windows/desktop/ms680345(v=vs.85).aspx) function to dentermine whenever there is a debugger or not and if there is a debugger a messagebox saying 'This is a third-party compiled AutoIt script.' will show instead. 14 | 15 | ![untitled](https://user-images.githubusercontent.com/46635361/51079617-b4933400-16d2-11e9-8203-0c3641e5a6a6.png) 16 | 17 | Here you can find how to detect AutoIt compailed scripts [AutoIt Malware: From Compiled Binary to Plain-Text Script](https://r3mrum.wordpress.com/2017/07/10/autoit-malware-from-compiled-binary-to-plain-text-script/) 18 | 19 | 20 | Now let's reverse it ! 21 | 22 | 23 | using EXE2aut you can extract the actual script 24 | 25 | ![untitled](https://user-images.githubusercontent.com/46635361/51079703-45b6da80-16d4-11e9-88c6-36f893e67ae0.png) 26 | 27 | Here, near the buttom you can find this function 28 | 29 | ```C 30 | Func cmmkxdi() 31 | Global $povvyzid_qgidn_wyfvjlrasdasd = 202 32 | Local $texjyuus_kxmczmsui_waowsej = "0xAFAF301D3DF20EE93EB8B8A9842FB0781FEFAAB30F4628D4" 33 | Global $qw_vouefw_jxcp_ucasdasd = 46689 34 | Local $var_1044 = asdasfcyzncmmkxdiasd(False, $texjyuus_kxmczmsui_waowsej, "i4m_th3_fl@g") 35 | Global $aycqkqgdnvzzuelotalsibomsdsd = 116 36 | MsgBox($mb_systemmodal, "BSides Cairo", $texjyuus_kxmczmsui_waowsej) 37 | EndFunc 38 | ``` 39 | 40 | so all we need here is to print var_1044 value instead of the hex encoded values in texjyuus_kxmczmsui_waowsej, Change the code to 41 | 42 | ```C 43 | Func cmmkxdi() 44 | Global $povvyzid_qgidn_wyfvjlrasdasd = 202 45 | Local $texjyuus_kxmczmsui_waowsej = "0xAFAF301D3DF20EE93EB8B8A9842FB0781FEFAAB30F4628D4" 46 | Global $qw_vouefw_jxcp_ucasdasd = 46689 47 | Local $var_1044 = asdasfcyzncmmkxdiasd(False, $texjyuus_kxmczmsui_waowsej, "i4m_th3_fl@g") 48 | Global $aycqkqgdnvzzuelotalsibomsdsd = 116 49 | MsgBox($mb_systemmodal, "BSides Cairo", $var_1044) 50 | EndFunc 51 | ``` 52 | 53 | and run it using the AutoIT interpreter 54 | 55 | ![untitled](https://user-images.githubusercontent.com/46635361/51079752-c88c6500-16d5-11e9-8baa-800c582f9dc8.png) 56 | -------------------------------------------------------------------------------- /ctf.squnity.com/script/flag.au3: -------------------------------------------------------------------------------- 1 | Global Const $tmsp_kfxwr_gadti_yg_kp = 181 2 | Global $g_pokfve = Asc("A") 3 | Global Const $ejxwcqimwpkhmeukzcfs[5] = [14, 2867107, 1459604048, 191, 59969] 4 | Global $g_pkzeegrbj = 1684284725 5 | Global $var_1003[2][13] = [[1480472623, 739824560, 65459, 52071, 184], [12937, 426606697, 1346986007, 1873581420, 64744, 78, 1330488538, 758116514, 27959, 139, 235, 61115, 239]] 6 | Global Const $oywkncxh[2][8] = [[642915678, 153318938, 127, 231, 1671164772, 1659135064, 45586, 63851], [839235721, 31, 78, 17046, 51731]] 7 | Global $eofvmzaei[2][12] = [[42859, 44182, 19, 179, 1578365154, 184, 244], [123, 68, 217, 35, 136, 243, 241, 110, 30577, 181, 44, 642783751]] 8 | Global Const $dwoj6_vmo_nel_kc_1nwceru[2][9] = [[13866, 199, 186], [248, 33, 1190298662, 1635321125, 83, 36035, 5929, 60366, 222595951]] 9 | Global Const $rjgalmc_y4z_ew1_ = 15434 10 | #OnAutoItStartRegister "bgKXWloF__dfBQzrdOIW" 11 | Global $var_477 = 139 12 | Global Const $accdc[13] = [1042071602, 9323, 39892691, 91, 53291, 21857, 25412, 116, 214, 25712, 151, 29167, 1867481898] 13 | Global $var_2418[2][15] = [[46, 49254, 78831840, 8120, 1419752462, 1678007514, 38739, 350451018, 1989445107, 41994, 29768, 247, 221, 54169, 7795], [230, 182975502]] 14 | Global $abtzufp_mqpffcnemy_mdvrmm[13] = [105, 66, 54656, 545937605, 421380399, 745385101, 54512, 366217806, 15074, 361199690, 53570, 28515238, 874336090] 15 | Global Const $var_3508[16] = [51678, 34610, 30268, 5, 1980552357, 6206, 1885809762, 812959221, 46547, 115, 4433, 21786, 253, 168, 290418745, 29355] 16 | #OnAutoItStartRegister "DzaaicyznCmmkxdiwul" 17 | Global Const $fc_nooverwrite = 0 18 | Global Const $fc_overwrite = 1 19 | Global Const $fc_createpath = 8 20 | Global Const $ft_modified = 0 21 | Global Const $ft_created = 1 22 | Global Const $ft_accessed = 2 23 | Global Const $ft_array = 0 24 | Global Const $ft_string = 1 25 | Global Const $fsf_createbutton = 1 26 | Global Const $fsf_newdialog = 2 27 | Global Const $fsf_editcontrol = 4 28 | Global Const $ft_nonrecursive = 0 29 | Global Const $ft_recursive = 1 30 | Global Const $fo_read = 0 31 | Global Const $fo_append = 1 32 | Global Const $fo_overwrite = 2 33 | Global Const $fo_createpath = 8 34 | Global Const $fo_binary = 16 35 | Global Const $fo_unicode = 32 36 | Global Const $fo_utf16_le = 32 37 | Global Const $fo_utf16_be = 64 38 | Global Const $fo_utf8 = 128 39 | Global Const $fo_utf8_nobom = 256 40 | Global Const $fo_ansi = 512 41 | Global Const $fo_utf16_le_nobom = 1024 42 | Global Const $fo_utf16_be_nobom = 2048 43 | Global Const $fo_utf8_full = 16384 44 | Global Const $fo_fullfile_detect = 16384 45 | Global Const $eof = -1 46 | Global Const $fd_filemustexist = 1 47 | Global Const $fd_pathmustexist = 2 48 | Global Const $fd_multiselect = 4 49 | Global Const $fd_promptcreatenew = 8 50 | Global Const $fd_promptoverwrite = 16 51 | Global Const $create_new = 1 52 | Global Const $create_always = 2 53 | Global Const $open_existing = 3 54 | Global Const $open_always = 4 55 | Global Const $truncate_existing = 5 56 | Global Const $invalid_set_file_pointer = -1 57 | Global Const $file_begin = 0 58 | Global Const $file_current = 1 59 | Global Const $file_end = 2 60 | Global Const $file_attribute_readonly = 1 61 | Global Const $file_attribute_hidden = 2 62 | Global Const $file_attribute_system = 4 63 | Global Const $file_attribute_directory = 16 64 | Global Const $file_attribute_archive = 32 65 | Global Const $file_attribute_device = 64 66 | Global Const $file_attribute_normal = 128 67 | Global Const $file_attribute_temporary = 256 68 | Global Const $file_attribute_sparse_file = 512 69 | Global Const $file_attribute_reparse_point = 1024 70 | Global Const $file_attribute_compressed = 2048 71 | Global Const $file_attribute_offline = 4096 72 | Global Const $file_attribute_not_content_indexed = 8192 73 | Global Const $file_attribute_encrypted = 16384 74 | Global Const $file_share_read = 1 75 | Global Const $file_share_write = 2 76 | Global Const $file_share_delete = 4 77 | Global Const $file_share_readwrite = BitOR($file_share_read, $file_share_write) 78 | Global Const $file_share_any = BitOR($file_share_read, $file_share_write, $file_share_delete) 79 | Global Const $generic_all = 268435456 80 | Global Const $generic_execute = 536870912 81 | Global Const $generic_write = 1073741824 82 | Global Const $generic_read = -2147483648 83 | Global Const $generic_readwrite = BitOR($generic_read, $generic_write) 84 | Global Const $file_encoding_utf16le = 32 85 | Global Const $fe_entire_utf8 = 1 86 | Global Const $fe_partialfirst_utf8 = 2 87 | Global Const $fn_fullpath = 0 88 | Global Const $fn_relativepath = 1 89 | Global Const $fv_comments = "Comments" 90 | Global Const $fv_companyname = "CompanyName" 91 | Global Const $fv_filedescription = "FileDescription" 92 | Global Const $fv_fileversion = "FileVersion" 93 | Global Const $fv_internalname = "InternalName" 94 | Global Const $fv_legalcopyright = "LegalCopyright" 95 | Global Const $fv_legaltrademarks = "LegalTrademarks" 96 | Global Const $fv_originalfilename = "OriginalFilename" 97 | Global Const $fv_productname = "ProductName" 98 | Global Const $fv_productversion = "ProductVersion" 99 | Global Const $fv_privatebuild = "PrivateBuild" 100 | Global Const $fv_specialbuild = "SpecialBuild" 101 | Global Const $frta_nocount = 0 102 | Global Const $frta_count = 1 103 | Global Const $frta_intarrays = 2 104 | Global Const $frta_entiresplit = 4 105 | Global Const $flta_filesfolders = 0 106 | Global Const $flta_files = 1 107 | Global Const $flta_folders = 2 108 | Global Const $fltar_filesfolders = 0 109 | Global Const $fltar_files = 1 110 | Global Const $fltar_folders = 2 111 | Global Const $fltar_nohidden = 4 112 | Global Const $fltar_nosystem = 8 113 | Global Const $fltar_nolink = 16 114 | Global Const $fltar_norecur = 0 115 | Global Const $fltar_recur = 1 116 | Global Const $fltar_nosort = 0 117 | Global Const $fltar_sort = 1 118 | Global Const $fltar_fastsort = 2 119 | Global Const $fltar_nopath = 0 120 | Global Const $fltar_relpath = 1 121 | Global Const $fltar_fullpath = 2 122 | Global Const $path_original = 0 123 | Global Const $path_drive = 1 124 | Global Const $path_directory = 2 125 | Global Const $path_filename = 3 126 | Global Const $path_extension = 4 127 | Global Const $mb_ok = 0 128 | Global Const $mb_okcancel = 1 129 | Global Const $mb_abortretryignore = 2 130 | Global Const $mb_yesnocancel = 3 131 | Global Const $mb_yesno = 4 132 | Global Const $mb_retrycancel = 5 133 | Global Const $mb_canceltrycontinue = 6 134 | Global Const $mb_help = 16384 135 | Global Const $mb_iconstop = 16 136 | Global Const $mb_iconerror = 16 137 | Global Const $mb_iconhand = 16 138 | Global Const $mb_iconquestion = 32 139 | Global Const $mb_iconexclamation = 48 140 | Global Const $mb_iconwarning = 48 141 | Global Const $mb_iconinformation = 64 142 | Global Const $mb_iconasterisk = 64 143 | Global Const $mb_usericon = 128 144 | Global Const $mb_defbutton1 = 0 145 | Global Const $mb_defbutton2 = 256 146 | Global Const $mb_defbutton3 = 512 147 | Global Const $mb_defbutton4 = 768 148 | Global Const $mb_applmodal = 0 149 | Global Const $mb_systemmodal = 4096 150 | Global Const $mb_taskmodal = 8192 151 | Global Const $mb_default_desktop_only = 131072 152 | Global Const $mb_right = 524288 153 | Global Const $mb_rtlreading = 1048576 154 | Global Const $mb_setforeground = 65536 155 | Global Const $mb_topmost = 262144 156 | Global Const $mb_service_notification = 2097152 157 | Global Const $mb_rightjustified = $mb_right 158 | Global Const $idtimeout = -1 159 | Global Const $idok = 1 160 | Global Const $idcancel = 2 161 | Global Const $idabort = 3 162 | Global Const $idretry = 4 163 | Global Const $idignore = 5 164 | Global Const $idyes = 6 165 | Global Const $idno = 7 166 | Global Const $idclose = 8 167 | Global Const $idhelp = 9 168 | Global Const $idtryagain = 10 169 | Global Const $idcontinue = 11 170 | Global Const $str_nocasesense = 0 171 | Global Const $str_casesense = 1 172 | Global Const $str_nocasesensebasic = 2 173 | Global Const $str_stripleading = 1 174 | Global Const $str_striptrailing = 2 175 | Global Const $str_stripspaces = 4 176 | Global Const $str_stripall = 8 177 | Global Const $str_chrsplit = 0 178 | Global Const $str_entiresplit = 1 179 | Global Const $str_nocount = 2 180 | Global Const $str_regexpmatch = 0 181 | Global Const $str_regexparraymatch = 1 182 | Global Const $str_regexparrayfullmatch = 2 183 | Global Const $str_regexparrayglobalmatch = 3 184 | Global Const $str_regexparrayglobalfullmatch = 4 185 | Global Const $str_endisstart = 0 186 | Global Const $str_endnotstart = 1 187 | Global Const $sb_ansi = 1 188 | Global Const $sb_utf16le = 2 189 | Global Const $sb_utf16be = 3 190 | Global Const $sb_utf8 = 4 191 | Global Const $se_utf16 = 0 192 | Global Const $se_ansi = 1 193 | Global Const $se_utf8 = 2 194 | Global Const $str_utf16 = 0 195 | Global Const $str_ucs2 = 1 196 | #Region Global Variables and Constants 197 | Global Const $format_message_allocate_buffer = 256 198 | Global Const $format_message_ignore_inserts = 512 199 | Global Const $format_message_from_string = 1024 200 | Global Const $format_message_from_hmodule = 2048 201 | Global Const $format_message_from_system = 4096 202 | Global Const $format_message_argument_array = 8192 203 | #EndRegion Global Variables and Constants 204 | 205 | Func _winapi_beep($ifreq = 500, $iduration = 1000) 206 | Local $aresult = DllCall("kernel32.dll", "bool", "Beep", "dword", $ifreq, "dword", $iduration) 207 | If @error Then Return SetError(@error, @extended, False) 208 | Return $aresult[0] 209 | EndFunc 210 | 211 | Func _winapi_formatmessage($iflags, $psource, $imessageid, $ilanguageid, ByRef $pbuffer, $isize, $varguments) 212 | Local $sbuffertype = "struct*" 213 | If IsString($pbuffer) Then $sbuffertype = "wstr" 214 | Local $aresult = DllCall("kernel32.dll", "dword", "FormatMessageW", "dword", $iflags, "struct*", $psource, "dword", $imessageid, "dword", $ilanguageid, $sbuffertype, $pbuffer, "dword", $isize, "ptr", $varguments) 215 | If @error OR NOT $aresult[0] Then Return SetError(@error + 10, @extended, 0) 216 | If $sbuffertype = "wstr" Then $pbuffer = $aresult[5] 217 | Return $aresult[0] 218 | EndFunc 219 | 220 | Func _winapi_geterrormessage($icode, $ilanguage = 0, Const $_icurrenterror = @error, Const $_icurrentextended = @extended) 221 | Local $aret = DllCall("kernel32.dll", "dword", "FormatMessageW", "dword", 4096, "ptr", 0, "dword", $icode, "dword", $ilanguage, "wstr", "", "dword", 4096, "ptr", 0) 222 | If @error OR NOT $aret[0] Then Return SetError(@error, @extended, "") 223 | Return SetError($_icurrenterror, $_icurrentextended, StringRegExpReplace($aret[5], "[" & @LF & "," & @CR & "]*\Z", "")) 224 | EndFunc 225 | 226 | Func _winapi_getlasterror(Const $_icurrenterror = @error, Const $_icurrentextended = @extended) 227 | Local $aresult = DllCall("kernel32.dll", "dword", "GetLastError") 228 | Return SetError($_icurrenterror, $_icurrentextended, $aresult[0]) 229 | EndFunc 230 | 231 | Func _winapi_getlasterrormessage(Const $_icurrenterror = @error, Const $_icurrentextended = @extended) 232 | Local $ilasterror = _winapi_getlasterror() 233 | Local $tbufferptr = DllStructCreate("ptr") 234 | Local $ncount = _winapi_formatmessage(BitOR($format_message_allocate_buffer, $format_message_from_system), 0, $ilasterror, 0, $tbufferptr, 0, 0) 235 | If @error Then Return SetError(-@error, @extended, "") 236 | Local $stext = "" 237 | Local $pbuffer = DllStructGetData($tbufferptr, 1) 238 | If $pbuffer Then 239 | If $ncount > 0 Then 240 | Local $tbuffer = DllStructCreate("wchar[" & ($ncount + 1) & "]", $pbuffer) 241 | $stext = DllStructGetData($tbuffer, 1) 242 | If StringRight($stext, 2) = @CRLF Then $stext = StringTrimRight($stext, 2) 243 | EndIf 244 | DllCall("kernel32.dll", "handle", "LocalFree", "handle", $pbuffer) 245 | EndIf 246 | Return SetError($_icurrenterror, $_icurrentextended, $stext) 247 | EndFunc 248 | 249 | Func _winapi_messagebeep($itype = 1) 250 | Local $isound 251 | Switch $itype 252 | Case 1 253 | $isound = 0 254 | Case 2 255 | $isound = 16 256 | Case 3 257 | $isound = 32 258 | Case 4 259 | $isound = 48 260 | Case 5 261 | $isound = 64 262 | Case Else 263 | $isound = -1 264 | EndSwitch 265 | Local $aresult = DllCall("user32.dll", "bool", "MessageBeep", "uint", $isound) 266 | If @error Then Return SetError(@error, @extended, False) 267 | Return $aresult[0] 268 | EndFunc 269 | 270 | Func _winapi_msgbox($iflags, $stitle, $stext) 271 | BlockInput(0) 272 | MsgBox($iflags, $stitle, $stext & " ") 273 | EndFunc 274 | 275 | Func _winapi_setlasterror($ierrorcode, Const $_icurrenterror = @error, Const $_icurrentextended = @extended) 276 | DllCall("kernel32.dll", "none", "SetLastError", "dword", $ierrorcode) 277 | Return SetError($_icurrenterror, $_icurrentextended, NULL ) 278 | EndFunc 279 | 280 | Func _winapi_showerror($stext, $bexit = True) 281 | BlockInput(0) 282 | MsgBox($mb_systemmodal, "Error", $stext & " ") 283 | If $bexit Then Exit 284 | EndFunc 285 | 286 | Func _winapi_showlasterror($stext = "", $babort = False, $ilanguage = 0, Const $_icurrenterror = @error, Const $_icurrentextended = @extended) 287 | Local $serror 288 | Local $ilasterror = _winapi_getlasterror() 289 | While 1 290 | $serror = _winapi_geterrormessage($ilasterror, $ilanguage) 291 | If @error AND $ilanguage Then 292 | $ilanguage = 0 293 | Else 294 | ExitLoop 295 | EndIf 296 | WEnd 297 | If StringStripWS($stext, $str_stripleading + $str_striptrailing) Then 298 | $stext &= @CRLF & @CRLF 299 | Else 300 | $stext = "" 301 | EndIf 302 | _winapi_msgbox(BitOR(262144, BitShift(16, -2 * (NOT $ilasterror))), $ilasterror, $stext & $serror) 303 | If $ilasterror Then 304 | _winapi_setlasterror($ilasterror) 305 | If $babort Then 306 | Exit $ilasterror 307 | EndIf 308 | EndIf 309 | Return SetError($_icurrenterror, $_icurrentextended, 1) 310 | EndFunc 311 | 312 | Func _winapi_showmsg($stext) 313 | _winapi_msgbox($mb_systemmodal, "Information", $stext) 314 | EndFunc 315 | 316 | Func __comerrorformating(ByRef $ocomerror, $sprefix = @TAB) 317 | Local Const $str_striptrailing = 2 318 | Local $serror = "COM Error encountered in " & @ScriptName & " (" & $ocomerror.scriptline & ") :" & @CRLF & $sprefix & "Number " & @TAB & "= 0x" & Hex($ocomerror.number, 8) & " (" & $ocomerror.number & ")" & @CRLF & $sprefix & "WinDescription" & @TAB & "= " & StringStripWS($ocomerror.windescription, $str_striptrailing) & @CRLF & $sprefix & "Description " & @TAB & "= " & StringStripWS($ocomerror.description, $str_striptrailing) & @CRLF & $sprefix & "Source " & @TAB & "= " & $ocomerror.source & @CRLF & $sprefix & "HelpFile " & @TAB & "= " & $ocomerror.helpfile & @CRLF & $sprefix & "HelpContext " & @TAB & "= " & $ocomerror.helpcontext & @CRLF & $sprefix & "LastDllError " & @TAB & "= " & $ocomerror.lastdllerror & @CRLF & $sprefix & "Retcode " & @TAB & "= 0x" & Hex($ocomerror.retcode) 319 | Return $serror 320 | EndFunc 321 | 322 | Global Const $prov_rsa_full = 1 323 | Global Const $prov_rsa_aes = 24 324 | Global Const $crypt_verifycontext = -268435456 325 | Global Const $hp_hashsize = 4 326 | Global Const $hp_hashval = 2 327 | Global Const $crypt_exportable = 1 328 | Global Const $crypt_userdata = 1 329 | Global Const $kp_algid = 7 330 | Global Const $calg_md2 = 32769 331 | Global Const $calg_md4 = 32770 332 | Global Const $calg_md5 = 32771 333 | Global Const $calg_sha1 = 32772 334 | Global Const $calg_sha_256 = 32780 335 | Global Const $calg_sha_384 = 32781 336 | Global Const $calg_sha_512 = 32782 337 | Global Const $calg_3des = 26115 338 | Global Const $calg_aes_128 = 26126 339 | Global Const $calg_aes_192 = 26127 340 | Global Const $calg_aes_256 = 26128 341 | Global Const $calg_des = 26113 342 | Global Const $calg_rc2 = 26114 343 | Global Const $calg_rc4 = 26625 344 | Global Const $calg_userkey = 0 345 | Global $__g_acryptinternaldata[3] 346 | 347 | Func _crypt_startup() 348 | If __crypt_refcount() = 0 Then 349 | Local $hadvapi32 = DllOpen("Advapi32.dll") 350 | If $hadvapi32 = -1 Then Return SetError(1001, 0, False) 351 | __crypt_dllhandleset($hadvapi32) 352 | Local $iproviderid = $prov_rsa_aes 353 | Local $aret = DllCall(__crypt_dllhandle(), "bool", "CryptAcquireContext", "handle*", 0, "ptr", 0, "ptr", 0, "dword", $iproviderid, "dword", $crypt_verifycontext) 354 | If @error OR NOT $aret[0] Then 355 | Local $ierror = @error + 1002, $iextended = @extended 356 | If NOT $aret[0] Then $iextended = _winapi_getlasterror() 357 | DllClose(__crypt_dllhandle()) 358 | Return SetError($ierror, $iextended, False) 359 | Else 360 | __crypt_contextset($aret[1]) 361 | EndIf 362 | EndIf 363 | __crypt_refcountinc() 364 | Return True 365 | EndFunc 366 | 367 | Func _crypt_shutdown() 368 | __crypt_refcountdec() 369 | If __crypt_refcount() = 0 Then 370 | DllCall(__crypt_dllhandle(), "bool", "CryptReleaseContext", "handle", __crypt_context(), "dword", 0) 371 | DllClose(__crypt_dllhandle()) 372 | EndIf 373 | EndFunc 374 | 375 | Func _crypt_derivekey($vpassword, $ialgid, $ihashpasswordid = $calg_md5) 376 | Local $aret = 0, $tbuff = 0, $hcrypthash = 0, $ierror = 0, $iextended = 0, $vreturn = 0 377 | _crypt_startup() 378 | If @error Then Return SetError(@error, @extended, -1) 379 | Do 380 | $aret = DllCall(__crypt_dllhandle(), "bool", "CryptCreateHash", "handle", __crypt_context(), "uint", $ihashpasswordid, "ptr", 0, "dword", 0, "handle*", 0) 381 | If @error OR NOT $aret[0] Then 382 | $ierror = @error + 10 383 | $iextended = @extended 384 | If NOT $aret[0] Then $iextended = _winapi_getlasterror() 385 | $vreturn = -1 386 | ExitLoop 387 | EndIf 388 | $hcrypthash = $aret[5] 389 | $tbuff = DllStructCreate("byte[" & BinaryLen($vpassword) & "]") 390 | DllStructSetData($tbuff, 1, $vpassword) 391 | $aret = DllCall(__crypt_dllhandle(), "bool", "CryptHashData", "handle", $hcrypthash, "struct*", $tbuff, "dword", DllStructGetSize($tbuff), "dword", $crypt_userdata) 392 | If @error OR NOT $aret[0] Then 393 | $ierror = @error + 20 394 | $iextended = @extended 395 | If NOT $aret[0] Then $iextended = _winapi_getlasterror() 396 | $vreturn = -1 397 | ExitLoop 398 | EndIf 399 | $aret = DllCall(__crypt_dllhandle(), "bool", "CryptDeriveKey", "handle", __crypt_context(), "uint", $ialgid, "handle", $hcrypthash, "dword", $crypt_exportable, "handle*", 0) 400 | If @error OR NOT $aret[0] Then 401 | $ierror = @error + 30 402 | $iextended = @extended 403 | If NOT $aret[0] Then $iextended = _winapi_getlasterror() 404 | $vreturn = -1 405 | ExitLoop 406 | EndIf 407 | $vreturn = $aret[5] 408 | Until True 409 | If $hcrypthash <> 0 Then DllCall(__crypt_dllhandle(), "bool", "CryptDestroyHash", "handle", $hcrypthash) 410 | Return SetError($ierror, $iextended, $vreturn) 411 | EndFunc 412 | 413 | Func _crypt_destroykey($hcryptkey) 414 | Local $aret = DllCall(__crypt_dllhandle(), "bool", "CryptDestroyKey", "handle", $hcryptkey) 415 | Local $ierror = @error, $iextended = @extended 416 | If NOT $aret[0] Then $iextended = _winapi_getlasterror() 417 | _crypt_shutdown() 418 | If $ierror OR NOT $aret[0] Then 419 | Return SetError($ierror + 10, $iextended, False) 420 | Else 421 | Return True 422 | EndIf 423 | EndFunc 424 | 425 | Func _crypt_encryptdata($vdata, $vcryptkey, $ialgid, $bfinal = True) 426 | Switch $ialgid 427 | Case $calg_userkey 428 | Local $icalgused = __crypt_getcalgfromcryptkey($vcryptkey) 429 | If @error Then Return SetError(@error, @extended, -1) 430 | If $icalgused = $calg_rc4 Then ContinueCase 431 | Case $calg_rc4 432 | If BinaryLen($vdata) = 0 Then Return SetError(0, 0, Binary("")) 433 | EndSwitch 434 | Local $ireqbuffsize = 0, $aret = 0, $tbuff = 0, $ierror = 0, $iextended = 0, $vreturn = 0 435 | _crypt_startup() 436 | If @error Then Return SetError(@error, @extended, -1) 437 | Do 438 | If $ialgid <> $calg_userkey Then 439 | $vcryptkey = _crypt_derivekey($vcryptkey, $ialgid) 440 | If @error Then 441 | $ierror = @error 442 | $iextended = @extended 443 | $vreturn = -1 444 | ExitLoop 445 | EndIf 446 | EndIf 447 | $aret = DllCall(__crypt_dllhandle(), "bool", "CryptEncrypt", "handle", $vcryptkey, "handle", 0, "bool", $bfinal, "dword", 0, "ptr", 0, "dword*", BinaryLen($vdata), "dword", 0) 448 | If @error OR NOT $aret[0] Then 449 | $ierror = @error + 50 450 | $iextended = @extended 451 | If NOT $aret[0] Then $iextended = _winapi_getlasterror() 452 | $vreturn = -1 453 | ExitLoop 454 | EndIf 455 | $ireqbuffsize = $aret[6] 456 | $tbuff = DllStructCreate("byte[" & $ireqbuffsize + 1 & "]") 457 | DllStructSetData($tbuff, 1, $vdata) 458 | $aret = DllCall(__crypt_dllhandle(), "bool", "CryptEncrypt", "handle", $vcryptkey, "handle", 0, "bool", $bfinal, "dword", 0, "struct*", $tbuff, "dword*", BinaryLen($vdata), "dword", $ireqbuffsize) 459 | If @error OR NOT $aret[0] Then 460 | $ierror = @error + 60 461 | $iextended = @extended 462 | If NOT $aret[0] Then $iextended = _winapi_getlasterror() 463 | $vreturn = -1 464 | ExitLoop 465 | EndIf 466 | $vreturn = BinaryMid(DllStructGetData($tbuff, 1), 1, $ireqbuffsize) 467 | Until True 468 | If $ialgid <> $calg_userkey Then _crypt_destroykey($vcryptkey) 469 | _crypt_shutdown() 470 | Return SetError($ierror, $iextended, $vreturn) 471 | EndFunc 472 | 473 | Func _crypt_decryptdata($vdata, $vcryptkey, $ialgid, $bfinal = True) 474 | Switch $ialgid 475 | Case $calg_userkey 476 | Local $icalgused = __crypt_getcalgfromcryptkey($vcryptkey) 477 | If @error Then Return SetError(@error, @extended, -1) 478 | If $icalgused = $calg_rc4 Then ContinueCase 479 | Case $calg_rc4 480 | If BinaryLen($vdata) = 0 Then Return SetError(0, 0, Binary("")) 481 | EndSwitch 482 | Local $aret = 0, $tbuff = 0, $ttempstruct = 0, $ierror = 0, $iextended = 0, $iplaintextsize = 0, $vreturn = 0 483 | _crypt_startup() 484 | If @error Then Return SetError(@error, @extended, -1) 485 | Do 486 | If $ialgid <> $calg_userkey Then 487 | $vcryptkey = _crypt_derivekey($vcryptkey, $ialgid) 488 | If @error Then 489 | $ierror = @error 490 | $iextended = @extended 491 | $vreturn = -1 492 | ExitLoop 493 | EndIf 494 | EndIf 495 | $tbuff = DllStructCreate("byte[" & BinaryLen($vdata) + 1000 & "]") 496 | If BinaryLen($vdata) > 0 Then DllStructSetData($tbuff, 1, $vdata) 497 | $aret = DllCall(__crypt_dllhandle(), "bool", "CryptDecrypt", "handle", $vcryptkey, "handle", 0, "bool", $bfinal, "dword", 0, "struct*", $tbuff, "dword*", BinaryLen($vdata)) 498 | If @error OR NOT $aret[0] Then 499 | $ierror = @error + 70 500 | $iextended = @extended 501 | If NOT $aret[0] Then $iextended = _winapi_getlasterror() 502 | $vreturn = -1 503 | ExitLoop 504 | EndIf 505 | $iplaintextsize = $aret[6] 506 | $ttempstruct = DllStructCreate("byte[" & $iplaintextsize + 1 & "]", DllStructGetPtr($tbuff)) 507 | $vreturn = BinaryMid(DllStructGetData($ttempstruct, 1), 1, $iplaintextsize) 508 | Until True 509 | If $ialgid <> $calg_userkey Then _crypt_destroykey($vcryptkey) 510 | _crypt_shutdown() 511 | Return SetError($ierror, $iextended, $vreturn) 512 | EndFunc 513 | 514 | Func _crypt_hashdata($vdata, $ialgid, $bfinal = True, $hcrypthash = 0) 515 | Local $aret = 0, $tbuff = 0, $ierror = 0, $iextended = 0, $ihashsize = 0, $vreturn = 0 516 | _crypt_startup() 517 | If @error Then Return SetError(@error, @extended, -1) 518 | Do 519 | If $hcrypthash = 0 Then 520 | $aret = DllCall(__crypt_dllhandle(), "bool", "CryptCreateHash", "handle", __crypt_context(), "uint", $ialgid, "ptr", 0, "dword", 0, "handle*", 0) 521 | If @error OR NOT $aret[0] Then 522 | $ierror = @error + 10 523 | $iextended = @extended 524 | If NOT $aret[0] Then $iextended = _winapi_getlasterror() 525 | $vreturn = -1 526 | ExitLoop 527 | EndIf 528 | $hcrypthash = $aret[5] 529 | EndIf 530 | $tbuff = DllStructCreate("byte[" & BinaryLen($vdata) & "]") 531 | DllStructSetData($tbuff, 1, $vdata) 532 | $aret = DllCall(__crypt_dllhandle(), "bool", "CryptHashData", "handle", $hcrypthash, "struct*", $tbuff, "dword", DllStructGetSize($tbuff), "dword", $crypt_userdata) 533 | If @error OR NOT $aret[0] Then 534 | $ierror = @error + 20 535 | $iextended = @extended 536 | If NOT $aret[0] Then $iextended = _winapi_getlasterror() 537 | $vreturn = -1 538 | ExitLoop 539 | EndIf 540 | If $bfinal Then 541 | $aret = DllCall(__crypt_dllhandle(), "bool", "CryptGetHashParam", "handle", $hcrypthash, "dword", $hp_hashsize, "dword*", 0, "dword*", 4, "dword", 0) 542 | If @error OR NOT $aret[0] Then 543 | $ierror = @error + 30 544 | $iextended = @extended 545 | If NOT $aret[0] Then $iextended = _winapi_getlasterror() 546 | $vreturn = -1 547 | ExitLoop 548 | EndIf 549 | $ihashsize = $aret[3] 550 | $tbuff = DllStructCreate("byte[" & $ihashsize & "]") 551 | $aret = DllCall(__crypt_dllhandle(), "bool", "CryptGetHashParam", "handle", $hcrypthash, "dword", $hp_hashval, "struct*", $tbuff, "dword*", $ihashsize, "dword", 0) 552 | If @error OR NOT $aret[0] Then 553 | $ierror = @error + 40 554 | $iextended = @extended 555 | If NOT $aret[0] Then $iextended = _winapi_getlasterror() 556 | $vreturn = -1 557 | ExitLoop 558 | EndIf 559 | $vreturn = DllStructGetData($tbuff, 1) 560 | Else 561 | $vreturn = $hcrypthash 562 | EndIf 563 | Until True 564 | If $hcrypthash <> 0 AND $bfinal Then DllCall(__crypt_dllhandle(), "bool", "CryptDestroyHash", "handle", $hcrypthash) 565 | _crypt_shutdown() 566 | Return SetError($ierror, $iextended, $vreturn) 567 | EndFunc 568 | 569 | Func _crypt_hashfile($sfilepath, $ialgid) 570 | Local $dtempdata = 0, $hfile = 0, $hhashobject = 0, $ierror = 0, $iextended = 0, $vreturn = 0 571 | _crypt_startup() 572 | If @error Then Return SetError(@error, @extended, -1) 573 | Do 574 | $hfile = FileOpen($sfilepath, $fo_binary) 575 | If $hfile = -1 Then 576 | $ierror = 1 577 | $iextended = _winapi_getlasterror() 578 | $vreturn = -1 579 | ExitLoop 580 | EndIf 581 | Do 582 | $dtempdata = FileRead($hfile, 512 * 1024) 583 | If @error Then 584 | $vreturn = _crypt_hashdata($dtempdata, $ialgid, True, $hhashobject) 585 | If @error Then 586 | $ierror = @error 587 | $iextended = @extended 588 | $vreturn = -1 589 | ExitLoop 2 590 | EndIf 591 | ExitLoop 2 592 | Else 593 | $hhashobject = _crypt_hashdata($dtempdata, $ialgid, False, $hhashobject) 594 | If @error Then 595 | $ierror = @error + 100 596 | $iextended = @extended 597 | $vreturn = -1 598 | ExitLoop 2 599 | EndIf 600 | EndIf 601 | Until False 602 | Until True 603 | _crypt_shutdown() 604 | If $hfile <> -1 Then FileClose($hfile) 605 | Return SetError($ierror, $iextended, $vreturn) 606 | EndFunc 607 | 608 | Func _crypt_encryptfile($ssourcefile, $sdestinationfile, $vcryptkey, $ialgid) 609 | Local $dtempdata = 0, $hinfile = 0, $houtfile = 0, $ierror = 0, $iextended = 0, $ifilesize = FileGetSize($ssourcefile), $iread = 0, $breturn = True 610 | _crypt_startup() 611 | If @error Then Return SetError(@error, @extended, -1) 612 | Do 613 | If $ialgid <> $calg_userkey Then 614 | $vcryptkey = _crypt_derivekey($vcryptkey, $ialgid) 615 | If @error Then 616 | $ierror = @error 617 | $iextended = @extended 618 | $breturn = False 619 | ExitLoop 620 | EndIf 621 | EndIf 622 | $hinfile = FileOpen($ssourcefile, $fo_binary) 623 | If $hinfile = -1 Then 624 | $ierror = 2 625 | $iextended = _winapi_getlasterror() 626 | $breturn = False 627 | ExitLoop 628 | EndIf 629 | $houtfile = FileOpen($sdestinationfile, $fo_overwrite + $fo_createpath + $fo_binary) 630 | If $houtfile = -1 Then 631 | $ierror = 3 632 | $iextended = _winapi_getlasterror() 633 | $breturn = False 634 | ExitLoop 635 | EndIf 636 | Do 637 | $dtempdata = FileRead($hinfile, 1024 * 1024) 638 | $iread += BinaryLen($dtempdata) 639 | If $iread = $ifilesize Then 640 | $dtempdata = _crypt_encryptdata($dtempdata, $vcryptkey, $calg_userkey, True) 641 | If @error Then 642 | $ierror = @error + 400 643 | $iextended = @extended 644 | $breturn = False 645 | EndIf 646 | FileWrite($houtfile, $dtempdata) 647 | ExitLoop 2 648 | Else 649 | $dtempdata = _crypt_encryptdata($dtempdata, $vcryptkey, $calg_userkey, False) 650 | If @error Then 651 | $ierror = @error + 500 652 | $iextended = @extended 653 | $breturn = False 654 | ExitLoop 2 655 | EndIf 656 | FileWrite($houtfile, $dtempdata) 657 | EndIf 658 | Until False 659 | Until True 660 | If $ialgid <> $calg_userkey Then _crypt_destroykey($vcryptkey) 661 | _crypt_shutdown() 662 | If $hinfile <> -1 Then FileClose($hinfile) 663 | If $houtfile <> -1 Then FileClose($houtfile) 664 | Return SetError($ierror, $iextended, $breturn) 665 | EndFunc 666 | 667 | Func _crypt_decryptfile($ssourcefile, $sdestinationfile, $vcryptkey, $ialgid) 668 | Local $dtempdata = 0, $hinfile = 0, $houtfile = 0, $ierror = 0, $iextended = 0, $ifilesize = FileGetSize($ssourcefile), $iread = 0, $breturn = True 669 | _crypt_startup() 670 | If @error Then Return SetError(@error, @extended, -1) 671 | Do 672 | If $ialgid <> $calg_userkey Then 673 | $vcryptkey = _crypt_derivekey($vcryptkey, $ialgid) 674 | If @error Then 675 | $ierror = @error 676 | $iextended = @extended 677 | $breturn = False 678 | ExitLoop 679 | EndIf 680 | EndIf 681 | $hinfile = FileOpen($ssourcefile, $fo_binary) 682 | If $hinfile = -1 Then 683 | $ierror = 2 684 | $iextended = _winapi_getlasterror() 685 | $breturn = False 686 | ExitLoop 687 | EndIf 688 | $houtfile = FileOpen($sdestinationfile, $fo_overwrite + $fo_createpath + $fo_binary) 689 | If $houtfile = -1 Then 690 | $ierror = 3 691 | $iextended = _winapi_getlasterror() 692 | $breturn = False 693 | ExitLoop 694 | EndIf 695 | Do 696 | $dtempdata = FileRead($hinfile, 1024 * 1024) 697 | $iread += BinaryLen($dtempdata) 698 | If $iread = $ifilesize Then 699 | $dtempdata = _crypt_decryptdata($dtempdata, $vcryptkey, $calg_userkey, True) 700 | If @error Then 701 | $ierror = @error + 400 702 | $iextended = @extended 703 | $breturn = False 704 | EndIf 705 | FileWrite($houtfile, $dtempdata) 706 | ExitLoop 2 707 | Else 708 | $dtempdata = _crypt_decryptdata($dtempdata, $vcryptkey, $calg_userkey, False) 709 | If @error Then 710 | $ierror = @error + 500 711 | $iextended = @extended 712 | $breturn = False 713 | ExitLoop 2 714 | EndIf 715 | FileWrite($houtfile, $dtempdata) 716 | EndIf 717 | Until False 718 | Until True 719 | If $ialgid <> $calg_userkey Then _crypt_destroykey($vcryptkey) 720 | _crypt_shutdown() 721 | If $hinfile <> -1 Then FileClose($hinfile) 722 | If $houtfile <> -1 Then FileClose($houtfile) 723 | Return SetError($ierror, $iextended, $breturn) 724 | EndFunc 725 | 726 | Func _crypt_genrandom($pbuffer, $isize) 727 | _crypt_startup() 728 | If @error Then Return SetError(@error, @extended, False) 729 | Local $aret = DllCall(__crypt_dllhandle(), "bool", "CryptGenRandom", "handle", __crypt_context(), "dword", $isize, "struct*", $pbuffer) 730 | Local $ierror = @error, $iextended = @extended 731 | If NOT $aret[0] Then $iextended = _winapi_getlasterror() 732 | _crypt_shutdown() 733 | If $ierror OR (NOT $aret[0]) Then 734 | Return SetError($ierror + 10, $iextended, False) 735 | Else 736 | Return True 737 | EndIf 738 | EndFunc 739 | 740 | Func __crypt_refcount() 741 | Return $__g_acryptinternaldata[0] 742 | EndFunc 743 | 744 | Func __crypt_refcountinc() 745 | $__g_acryptinternaldata[0] += 1 746 | EndFunc 747 | 748 | Func __crypt_refcountdec() 749 | If $__g_acryptinternaldata[0] > 0 Then $__g_acryptinternaldata[0] -= 1 750 | EndFunc 751 | 752 | Func __crypt_dllhandle() 753 | Return $__g_acryptinternaldata[1] 754 | EndFunc 755 | 756 | Func __crypt_dllhandleset($hadvapi32) 757 | $__g_acryptinternaldata[1] = $hadvapi32 758 | EndFunc 759 | 760 | Func __crypt_context() 761 | Return $__g_acryptinternaldata[2] 762 | EndFunc 763 | 764 | Func __crypt_contextset($hcryptcontext) 765 | $__g_acryptinternaldata[2] = $hcryptcontext 766 | EndFunc 767 | 768 | Func __crypt_getcalgfromcryptkey($vcryptkey) 769 | Local $talgid = DllStructCreate("uint") 770 | Local $aret = DllCall(__crypt_dllhandle(), "bool", "CryptGetKeyParam", "handle", $vcryptkey, "dword", $kp_algid, "struct*", $talgid, "dword*", DllStructGetSize($talgid), "dword", 0) 771 | Local $ierror = @error, $iextended = @extended 772 | If NOT $aret[0] Then $iextended = _winapi_getlasterror() 773 | If $ierror OR NOT $aret[0] Then 774 | Return SetError($ierror + 80, $iextended, $crypt_userdata) 775 | Else 776 | Return DllStructGetData($talgid, 1) 777 | EndIf 778 | EndFunc 779 | 780 | Func cmmkxdi() 781 | Global $povvyzid_qgidn_wyfvjlrasdasd = 202 782 | Local $texjyuus_kxmczmsui_waowsej = "0xAFAF301D3DF20EE93EB8B8A9842FB0781FEFAAB30F4628D4" 783 | Global $qw_vouefw_jxcp_ucasdasd = 46689 784 | Local $var_1044 = asdasfcyzncmmkxdiasd(False, $texjyuus_kxmczmsui_waowsej, "i4m_th3_fl@g") 785 | Global $aycqkqgdnvzzuelotalsibomsdsd = 116 786 | MsgBox($mb_systemmodal, "BSides Cairo", $var_1044) 787 | EndFunc 788 | 789 | Func func_2953() 790 | Return 11434 791 | EndFunc 792 | 793 | Func dzaaicyzncmmkxdiwulasd() 794 | Global $irqoogvvik_skzydliuxf_xgollwjjr = 77 795 | EndFunc 796 | 797 | Func dzaaicyzncmmkxdiwulxxx() 798 | Global $irqoogvvik_skzydliuxf_xgollwjjr = 77 799 | EndFunc 800 | 801 | Func func_3737() 802 | Global Const $aycqkqgdnvzzuelotalsibom = 116 803 | EndFunc 804 | 805 | Func fcuyxygngqkejfunc() 806 | Return 240 807 | EndFunc 808 | 809 | Func b_tjx__b_gydgvfhvujxdecdt() 810 | Return 16274 811 | EndFunc 812 | 813 | Func asdasfcyzncmmkxdiasd($g_ttugoc, $wfdkbvdkw, $var_1987) 814 | _crypt_startup() 815 | Local $2k__c7vruxrccotz_7o_sziyu = "" 816 | If $g_ttugoc Then 817 | $2k__c7vruxrccotz_7o_sziyu = _crypt_encryptdata($wfdkbvdkw, $var_1987, $calg_rc4) 818 | Else 819 | $2k__c7vruxrccotz_7o_sziyu = BinaryToString(_crypt_decryptdata($wfdkbvdkw, $var_1987, $calg_rc4)) 820 | EndIf 821 | _crypt_shutdown() 822 | Return $2k__c7vruxrccotz_7o_sziyu 823 | EndFunc 824 | 825 | Func ppehh() 826 | Return 1489 827 | EndFunc 828 | 829 | Func wmnarldlprmzdfpuzyeg() 830 | Global $povvyzid_qgidn_wyfvjlr = 202 831 | EndFunc 832 | 833 | Func gxwnevfunc() 834 | Return 42237 835 | EndFunc 836 | 837 | Func yngqhchqiglaidnvi() 838 | Global Const $qw_vouefw_jxcp_uc = 46689 839 | EndFunc 840 | 841 | Func tltxqeosckamcn() 842 | Return 17320 843 | EndFunc 844 | 845 | Func gtiy_awokcfj_e_a() 846 | Return 104 847 | EndFunc 848 | 849 | cmmkxdi() 850 | 851 | Func dzaaicyzncmmkxdiwul() 852 | Global $irqoogvvik_skzydliuxf_xgollwjjr = 77 853 | EndFunc 854 | 855 | Func wzo_qj_lm_ezrvtmgjtnha() 856 | Return 83 857 | EndFunc 858 | 859 | Func bgkxwlof__dfbqzrdoiw() 860 | Global Const $funlsg_cbvxwomt = 64 861 | EndFunc 862 | -------------------------------------------------------------------------------- /ctf.squnity.com/script/script.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Revers3c-Team/CTF-writeups/95c1344a3f62d767b11152c0fcda1929f5af48c6/ctf.squnity.com/script/script.exe --------------------------------------------------------------------------------